I'm trying to get SSO integration working for one of our clients at the moment and have been following https://community.igniterealtime.org/docs/DOC-2585, trying to set up SSO, but I'm not having a lot of luck so far.
The OpenFire server is on a server running Windows Server 2008 R2 SP1. The domain controller is on Windows Server 2008 SP1. So far, I've successfully run the following steps:-
- on the print server, I've modified local policy to allow all Kerberos encryption types except DES_CBC_CRC
- I've confirmed there is a PTR record in the reverse lookup pointing to the correct server
- I've created an xmpp-user, setting it so the password can't be changed, it never expires, to use Kerberos DES encryption and not to require Kerberos preauthentication
- The following commands have been run on the domain controller:-
- setspn -A xmpp/lttnsydprt.TitanWheel.locall@TITANWHEEL.LOCAL xmpp-user
- ktpass -princ xmpp/lttnsydprt.TitanWheel.locall@TITANWHEEL.LOCAL -mapuser xmpp-user@TitanWheel.local -pass * --ptype KRB5_NT_PRINCIPAL (and entered the password for this account)
- krb5.ini has been created as follows and placed in C:\Windows and C:\:- (I've seen more than one place suggest krb5.ini should be in the root directory, so I'm covering all bases)
[libdefaults]
default_realm = TitanWheel.local
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5
[realms]
TitanWheel.local = {
kdc = ttnsydfs.TitanWheel.local
admin_server = ttnsydfs.TitanWheel.local
default_domain = TitanWheel.local
}
[domain_realms]
TitanWheel.local = TitanWheel.local
.TitanWheel.local = TitanWheel.local
- Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\All owTGTSessionKey has been created with a DWORD value of 0x1
- Created the keytab file by running ktab -k xmpp.keytab -a xmpp/ttnsydprt.TitanWheel.local@TITANWHEEL.LOCAL and entered the password
However, when I try and test the keyfile, I get the following output:-
C:\Program Files (x86)\Openfire\jre\bin>kinit -k -t xmpp.keytab xmpp\ttnsydprt.T
itanWheel.local@TITANWHEEL.LOCAL RCsTD0HiKX9L
Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun
d in Kerberos database
KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 more
I've also tried generating the keytab using ktpass -princ xmpp/ttnsydprt.TitanWheel.local@TITANWHEEL.LOCAL -mapuser xmpp-user@TitanWheel.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab, and get exactly the same error message as above.
I've tried proceeding beyond this to configure OpenFire anyway with the keytab file, but somewhat unsurprisingly, SSO isn't working.
Can anyone shed some light on where I might be going wrong here?