In addition to googling for a couple weeks and going through the other SSO forum posts, Here's some of what I've been following to get this off the ground:
http://community.igniterealtime.org/docs/DOC-1102
http://community.igniterealtime.org/docs/DOC-1060
http://community.igniterealtime.org/thread/26839
I'm not even close to being an expert on this subject. I do have past experience successfully setting up a Windows clients >> Linux server >> Windows AD/DC SSO system but that was doing AD Kerberos SSO through the web browser for an internal trouble ticket website and did not use Java.
My setup:
-OpenFire 3.7.0 server running on CentOS 5.6 x64
-Authenticating via Kerberos against AD domain at Win2k3 level
-KDC is Win2K8R2 domain controller
-Spark 3.6.0 running on Windows XP SP3 clients
-Server Java:
[root@chat]# java -version
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)
-Client has Java 6 u 24 as well
-Spark is able to sign in against active directory accounts without a problem when credentials are manually entered. All functions seem to be working fine except SSO.
-Same error seen on all attempts on multiple computers and multiple accounts:
"Unable to connect using Single Sign-on. Please check your principal and server settings."
Steps I've taken:
on KDC >> AD >> create new user "openfire.xmpp"
Enable the account options "Unable to change password", "Password never expires" and "Does not require Kerberos Preauthentication" on the Account
setspn -A xmpp/chat.mydomain.com@MYDOMAIN.COM openfire.xmpp
Registering ServicePrincipalNames for CN=OPENFIRE XMPP,CN=Users,DC=mydomain,DC=com
xmpp/chat.mydomain.com@MYDOMAIN.COM
Updated object
ktpass -princ xmpp/chat.mydomain.com@MYDOMAIN.COM -mapuser openfire.xmpp@mydomain.com -pass PASSWD -ptype KRB5_NT_PRINCIPAL out xmpp.keytab
Targeting domain controller: myDC.mydomain.com
Successfully mapped xmpp/chat.mydomain.com to openfire.xmpp.
Password succesfully set!
Key created.
Output keytab to xmpp.keytab:
Keytab version: 0x502
keysize 64 xmpp/chat.mydomain.com@MYDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype
0x17 (RC4-HMAC) keylength 16 (0x8748126ddcdb9fae00e7695759545503)
-copied xmpp.keytab over to the linux OpenFire server into /opt/openfire/resources/
-/opt/openfire/conf/gss.conf contents:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=/opt/openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="MYDOMAIN.COM"
principal="xmpp/chat.mydomain.com@MYDOMAIN.COM"
debug=true
};
/opt/openfire/conf/openfire.xml:
<jive>
<adminConsole>
<port>9090</port>
<securePort>9091</securePort>
</adminConsole>
<locale>en</locale>
<network>
<interface></interface>
</network>
<connectionProvider>
<className>org.jivesoftware.database.DefaultConnectionProvider</className>
</connectionProvider>
<database>
<defaultProvider>
<driver>com.mysql.jdbc.Driver</driver>
<serverURL>jdbc:mysql://chat.mydomain.com:3306/openfire</serverURL>
<username>root</username>
<password>PASSWD</password>
<testSQL>select 1</testSQL>
<testBeforeUse>true</testBeforeUse>
<testAfterUse>true</testAfterUse>
<minConnections>5</minConnections>
<maxConnections>25</maxConnections>
<connectionTimeout>1.0</connectionTimeout>
</defaultProvider>
</database>
<setup>true</setup>
<sasl>
<mechs>GSSAPI</mechs>
<realm>MYDOMAIN.COM</realm>
<gssapi>
<debug>true</debug>
<config>/opt/openfire/conf/gss.conf</config>
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
</sasl>
</jive>
Not 100% sure this is even needed on the windows clients, but here's c:\windows\krb5.ini on the Windows client and the same is in /etc/krb5.conf on the Linux
OpenFire server:
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = mydc.mydomain.com
kdc = mydc2.mydomain.com
admin_server = mydc.mydomain.com
default_domain = mydomain.com
}
[domain_realms]
mydomain.com = MYDOMAIN.COM
.mydomain.com = MYDOMAIN.COM
from OpenFire server:
[root@chat openfire]# kinit openfire.xmpp
Password for openfire.xmpp@MYDOMAIN.COM:
[root@chat openfire]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: openfire.xmpp@MYDOMAIN.COM
Valid starting Expires Service principal
05/23/11 14:32:24 05/24/11 00:34:04 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 05/24/11 14:32:24
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
set the following reg key on client and rebooted:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1
-enable SSO in client options and it automatically fills in the correct username/servername but we get "Unable to connect using Single Sign-on. Please check
your principal and server settings." after trying login
-disable SSO in client and try to auth manually using AD credentials and it logs in successfully
-verified is actually auth'ing correctly against AD by trying a bad password and watching it give username/password failure message.
-In Spark SSO tab under advanced connection preferences I have tried file, dns, or manually setting options with same result
-nothing is actually showing up in /opt/openfire/logs/debug.log but the following appears in /opt/openfire/logs/warn.log on every failed SSO login attempt
and only on the SSO attempts:
2011.05.23 14:07:17 Closing connection due to error while processing message: <auth mechanism="GSSAPI" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">YIIFQwYJKoZIh
vcSAQICAQBuggUyMIIFLqADAgEFoQMCAQ6iBwMFACAAAACjggReYYIEWjCCBFagAwIBBaELGwlDQVZDT y5DT02iITAfoAMCAQChGDAWGwR4bXBwGw5jaGF0LmNhdmNvLmNvbaOCBB0wggQZoAMCARehAwIBBK
KCBAsEggQHrfLY2dZxUeJZUgR+eAbw1Hqy5vmrR0wABWpK0afc8GWLgbzT0uhZVTyZBsAIBadCMAoZdM l8I0D0eDjmcDjU8PhCLNNw3dbSFZLJ8D4j4SCusfMC/mdojb0Txcq4e6Ln1G5KWwlFRZWthjEJxK5
hWNbBDndIXzkgvrv8EmDPbU92dVOOiAh8pwpr8ZRFZ4MI8YehPEUbXGG+6UZVw0a1b1D3nI0MRLffC1k QMxaoJjG4Mku/jkoWJOGLa2YzJrezmeMLnS1rkYAWNSS0o7JsedJXJ6Eddy7YCk8ZDHL8o3UsfCih
FP+ggnKPhE9l5PJtpf9acMqg0PJ27l7nZneo8mMM5N3FCqwOHF58JPvsnK5bnAg8Jfg3VMTo7c7zEi6t rHC4um7WutqtmDCLqkAAXGHpIYAIVy695tX1jZbgBIC30iTAGCBOZLyqb2ejjK4msadC+ag87/dJd
lqks//RZk1TP5isFFwiQZ98onPt26ePLYpb0njCD82yUYOA2qeknflDjLbathhhVTReYNr6yixzvCZ/v 35VGG+Xd8Fj1bG2XEUvBOkpIeyLBrEp9sAnlMpldhT8FyjCBH+EwxvaAqMuQMuKl1eMk95Yc/gFpQ
QCjWYClSm/cX9Ln6NSPcnwUzhEnUmtfnpP3P2f2cJykfJYqjr+z2TXc5Q6P2s5x2ogeDC+CCzzNuJtnW WWTIF4YURqF3Z4aBNATl9dlYVDB2EhVWHXlyO3smm+9xyljCYDBXO6sst06rJPbv9MvelA9ZAiQRN
SL03DVUAvySdH6+iPiLwDd/kiy4Gl9ynjyZIfvm3ZIKj7pMUjrFmatEXPlJkg5yoWYjkeGXosKhm8RVZ 3UGaaa8NYUKRbBzOY4zaf3k9IIIRmLrIP1rA30Gh/LhqmBKE/8xOXu62FX0m6vX3a2kYhizrOwCqR
XoctKM6MWfjK7iCwgvyKhrlThKw4ArYIrjbICyhcieuHQ2Wk4l88cb+Wep27razgE8rXVEkfOn54TJHv JLF7sPSfW5NTm9AHr0pViPKnJxn6wz4JekEBsd/xdYch8q+hTdoSb6t0gPkbp3bGCv5cNNJI/CRFQ
RqMqfFf4j7qH2uYAMNO3C6zeRr5Oum5qKKnJ/9crdw/n869lg9WH/C9j6eHtUbUA0fT6hMOzyXwO/L7T 4H5evhPjkxGsQXdbwiDfDOVsKMTEr5WLyKxJ8PX2Iutux6XxSNg9XUrTK8/FdCPJZpajU7/3rEgAg
80LONXhg75uIuM4UiLAsgdPS+ckGzKcGnKrqLx5JwhGUvpaG+lM2bS4Dw/NTl2tBI00/CgG8UDPVsDnT beJ6exdPk5cFhCwU4QvrN9zn2hHL26OWVfT+GsF97adfdrAEukgbYwgbOgAwIBA6KBqwSBqAmtzoq
aPnSxTmpP4bMtoOnE5toc8UoXTz0NhchBV9f/wkreGer7iiQUJSVkTH4TZXExnMVF9Qa8fRO32ZStMt0 3b6dLiTWizPucXBqsxU8U74E7hIbEpPRKuayMV2lqTpUIYLizSC1vJbS02D7AWPOcLeCswhzjXxJR
7gJiGmHE/d2S5tw9CpfJ32BZbejMG6b1J1wv5HtUl7eRyP/D/5Bc5Nv3WvdcZw==</auth>
java.lang.SecurityException: Configuration Error:
Line 5: expected [option key]
at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at javax.security.auth.login.Configuration$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)
at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)
at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.LoginConfigImpl.<init>(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)
at javax.security.sasl.Sasl.createSaslServer(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :251)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:179)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:169)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: Configuration Error:
Line 5: expected [option key]
at com.sun.security.auth.login.ConfigFile.match(Unknown Source)
at com.sun.security.auth.login.ConfigFile.parseLoginEntry(Unknown Source)
at com.sun.security.auth.login.ConfigFile.readConfig(Unknown Source)
at com.sun.security.auth.login.ConfigFile.init(Unknown Source)
at com.sun.security.auth.login.ConfigFile.init(Unknown Source)
... 49 more
The user post at http://community.igniterealtime.org/thread/33330 seems to have had similar errors as above with no solution posted.
In Spark debug window we see the following:
Smack Info:
Installed IQ Providers:
org.jivesoftware.phone.client.action.PhoneActionIQProvider
org.jivesoftware.smack.provider.PrivacyProvider
org.jivesoftware.smackx.PrivateDataManager$PrivateDataIQProvider
org.jivesoftware.smackx.bytestreams.ibb.provider.CloseIQProvider
org.jivesoftware.smackx.bytestreams.ibb.provider.DataPacketProvider
org.jivesoftware.smackx.bytestreams.ibb.provider.OpenIQProvider
org.jivesoftware.smackx.bytestreams.socks5.provider.BytestreamsProvider
org.jivesoftware.smackx.packet.LastActivity$Provider
org.jivesoftware.smackx.packet.OfflineMessageRequest$Provider
org.jivesoftware.smackx.packet.SharedGroupsInfo$Provider
org.jivesoftware.smackx.packet.Time
org.jivesoftware.smackx.packet.Version
org.jivesoftware.smackx.provider.AdHocCommandDataProvider
org.jivesoftware.smackx.provider.DiscoverInfoProvider
org.jivesoftware.smackx.provider.DiscoverItemsProvider
org.jivesoftware.smackx.provider.MUCAdminProvider
org.jivesoftware.smackx.provider.MUCOwnerProvider
org.jivesoftware.smackx.provider.StreamInitiationProvider
org.jivesoftware.smackx.provider.VCardProvider
org.jivesoftware.smackx.pubsub.provider.PubSubProvider
org.jivesoftware.smackx.pubsub.provider.PubSubProvider
org.jivesoftware.smackx.search.UserSearch$Provider
org.jivesoftware.smackx.workgroup.ext.forms.WorkgroupForm$InternalProvider
org.jivesoftware.smackx.workgroup.ext.history.AgentChatHistory$InternalProvider
org.jivesoftware.smackx.workgroup.ext.history.ChatMetadata$Provider
org.jivesoftware.smackx.workgroup.ext.macros.Macros$InternalProvider
org.jivesoftware.smackx.workgroup.ext.notes.ChatNotes$Provider
org.jivesoftware.smackx.workgroup.packet.AgentInfo$Provider
org.jivesoftware.smackx.workgroup.packet.AgentStatusRequest$Provider
org.jivesoftware.smackx.workgroup.packet.AgentWorkgroups$Provider
org.jivesoftware.smackx.workgroup.packet.MonitorPacket$InternalProvider
org.jivesoftware.smackx.workgroup.packet.OccupantsInfo$Provider
org.jivesoftware.smackx.workgroup.packet.OfferRequestProvider
org.jivesoftware.smackx.workgroup.packet.OfferRevokeProvider
org.jivesoftware.smackx.workgroup.packet.TranscriptProvider
org.jivesoftware.smackx.workgroup.packet.TranscriptSearch$Provider
org.jivesoftware.smackx.workgroup.packet.TranscriptsProvider
org.jivesoftware.smackx.workgroup.settings.ChatSettings$InternalProvider
org.jivesoftware.smackx.workgroup.settings.GenericSettings$InternalProvider
org.jivesoftware.smackx.workgroup.settings.OfflineSettings$InternalProvider
org.jivesoftware.smackx.workgroup.settings.SearchSettings$InternalProvider
org.jivesoftware.smackx.workgroup.settings.SoundSettings$InternalProvider
org.jivesoftware.smackx.workgroup.settings.WorkgroupProperties$InternalProvider
Installed Extension Providers:
org.jivesoftware.phone.client.event.PhoneEventPacketExtensionProvider
org.jivesoftware.smackx.GroupChatInvitation$Provider
org.jivesoftware.smackx.bytestreams.ibb.provider.DataPacketProvider
org.jivesoftware.smackx.packet.AttentionExtension$Provider
org.jivesoftware.smackx.packet.ChatStateExtension$Provider
org.jivesoftware.smackx.packet.ChatStateExtension$Provider
org.jivesoftware.smackx.packet.ChatStateExtension$Provider
org.jivesoftware.smackx.packet.ChatStateExtension$Provider
org.jivesoftware.smackx.packet.ChatStateExtension$Provider
org.jivesoftware.smackx.packet.Nick$Provider
org.jivesoftware.smackx.packet.OfflineMessageInfo$Provider
org.jivesoftware.smackx.provider.AdHocCommandDataProvider$BadActionError
org.jivesoftware.smackx.provider.AdHocCommandDataProvider$BadLocaleError
org.jivesoftware.smackx.provider.AdHocCommandDataProvider$BadPayloadError
org.jivesoftware.smackx.provider.AdHocCommandDataProvider$BadSessionIDError
org.jivesoftware.smackx.provider.AdHocCommandDataProvider$MalformedActionError
org.jivesoftware.smackx.provider.AdHocCommandDataProvider$SessionExpiredError
org.jivesoftware.smackx.provider.DataFormProvider
org.jivesoftware.smackx.provider.DelayInfoProvider
org.jivesoftware.smackx.provider.DelayInformationProvider
org.jivesoftware.smackx.provider.HeaderProvider
org.jivesoftware.smackx.provider.HeadersProvider
org.jivesoftware.smackx.provider.MUCUserProvider
org.jivesoftware.smackx.provider.MessageEventProvider
org.jivesoftware.smackx.provider.MultipleAddressesProvider
org.jivesoftware.smackx.provider.RosterExchangeProvider
org.jivesoftware.smackx.provider.XHTMLExtensionProvider
org.jivesoftware.smackx.pubsub.provider.AffiliationProvider
org.jivesoftware.smackx.pubsub.provider.AffiliationsProvider
org.jivesoftware.smackx.pubsub.provider.ConfigEventProvider
org.jivesoftware.smackx.pubsub.provider.EventProvider
org.jivesoftware.smackx.pubsub.provider.FormNodeProvider
org.jivesoftware.smackx.pubsub.provider.FormNodeProvider
org.jivesoftware.smackx.pubsub.provider.FormNodeProvider
org.jivesoftware.smackx.pubsub.provider.FormNodeProvider
org.jivesoftware.smackx.pubsub.provider.ItemProvider
org.jivesoftware.smackx.pubsub.provider.ItemProvider
org.jivesoftware.smackx.pubsub.provider.ItemsProvider
org.jivesoftware.smackx.pubsub.provider.ItemsProvider
org.jivesoftware.smackx.pubsub.provider.RetractEventProvider
org.jivesoftware.smackx.pubsub.provider.SimpleNodeProvider
org.jivesoftware.smackx.pubsub.provider.SimpleNodeProvider
org.jivesoftware.smackx.pubsub.provider.SimpleNodeProvider
org.jivesoftware.smackx.pubsub.provider.SubscriptionProvider
org.jivesoftware.smackx.pubsub.provider.SubscriptionsProvider
org.jivesoftware.smackx.workgroup.packet.AgentStatus$Provider
org.jivesoftware.smackx.workgroup.packet.MetaDataProvider
org.jivesoftware.smackx.workgroup.packet.QueueDetails$Provider
org.jivesoftware.smackx.workgroup.packet.QueueOverview$Provider
org.jivesoftware.smackx.workgroup.packet.QueueUpdate$Provider
org.jivesoftware.smackx.workgroup.packet.RoomInvitation$Provider
org.jivesoftware.smackx.workgroup.packet.RoomTransfer$Provider
org.jivesoftware.smackx.workgroup.packet.SessionID$Provider
org.jivesoftware.smackx.workgroup.packet.UserID$Provider
org.jivesoftware.smackx.workgroup.packet.WorkgroupInformation$Provider
Connection_1:
Raw Sent Packets:
<stream:stream to="chat.mydomain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<stream:stream to="chat.mydomain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<auth mechanism="GSSAPI" xmlns="urn:ietf:params:xml:ns:xmpp-
sasl">YIIFQwYJKoZIhvcSAQICAQBuggUyMIIFLqADAgEFoQMCAQ6iBwMFACAAAACjggReYYIEWjCCBF agAwIBBaELGwlDQVZDTy5DT02iITAfoAMCAQChGDAWGwR4bXBwGw5jaGF0LmNhdmNvLmNvbaOCBB0
wggQZoAMCARehAwIBBKKCBAsEggQHrfLY2dZxUeJZUgR
+eAbw1Hqy5vmrR0wABWpK0afc8GWLgbzT0uhZVTyZBsAIBadCMAoZdMl8I0D0eDjmcDjU8PhCLNNw3db SFZLJ8D4j4SCusfMC/mdojb0Txcq4e6Ln1G5KWwlFRZWthjEJxK5hWNbBDndIXzkgvrv8EmDPbU92
dVOOiAh8pwpr8ZRFZ4MI8YehPEUbXGG+6UZVw0a1b1D3nI0MRLffC1kQMxaoJjG4Mku/jkoWJOGLa2Yz JrezmeMLnS1rkYAWNSS0o7JsedJXJ6Eddy7YCk8ZDHL8o3UsfCihFP
+ggnKPhE9l5PJtpf9acMqg0PJ27l7nZneo8mMM5N3FCqwOHF58JPvsnK5bnAg8Jfg3VMTo7c7zEi6trH C4um7WutqtmDCLqkAAXGHpIYAIVy695tX1jZbgBIC30iTAGCBOZLyqb2ejjK4msadC
+ag87/dJdlqks//RZk1TP5isFFwiQZ98onPt26ePLYpb0njCD82yUYOA2qeknflDjLbathhhVTReYNr6 yixzvCZ/v35VGG+Xd8Fj1bG2XEUvBOkpIeyLBrEp9sAnlMpldhT8FyjCBH
+EwxvaAqMuQMuKl1eMk95Yc/gFpQQCjWYClSm/cX9Ln6NSPcnwUzhEnUmtfnpP3P2f2cJykfJYqjr+z2 TXc5Q6P2s5x2ogeDC+CCzzNuJtnWWWTIF4YURqF3Z4aBNATl9dlYVDB2EhVWHXlyO3smm
+9xyljCYDBXO6sst06rJPbv9MvelA9ZAiQRNSL03DVUAvySdH6+iPiLwDd/kiy4Gl9ynjyZIfvm3ZIKj 7pMUjrFmatEXPlJkg5yoWYjkeGXosKhm8RVZ3UGaaa8NYUKRbBzOY4zaf3k9IIIRmLrIP1rA30Gh/
LhqmBKE/8xOXu62FX0m6vX3a2kYhizrOwCqRXoctKM6MWfjK7iCwgvyKhrlThKw4ArYIrjbICyhcieuH Q2Wk4l88cb
+Wep27razgE8rXVEkfOn54TJHvJLF7sPSfW5NTm9AHr0pViPKnJxn6wz4JekEBsd/xdYch8q
+hTdoSb6t0gPkbp3bGCv5cNNJI/CRFQRqMqfFf4j7qH2uYAMNO3C6zeRr5Oum5qKKnJ/9crdw/n869lg 9WH/C9j6eHtUbUA0fT6hMOzyXwO/L7T4H5evhPjkxGsQXdbwiDfDOVsKMTEr5WLyKxJ8PX2Iutux6
XxSNg9XUrTK8/FdCPJZpajU7/3rEgAg80LONXhg75uIuM4UiLAsgdPS+ckGzKcGnKrqLx5JwhGUvpaG+ lM2bS4Dw/NTl2tBI00/CgG8UDPVsDnTbeJ6exdPk5cFhCwU4QvrN9zn2hHL26OWVfT
+GsF97adfdrAEukgbYwgbOgAwIBA6KBqwSBqAmtzoqaPnSxTmpP4bMtoOnE5toc8UoXTz0NhchBV9f/w kreGer7iiQUJSVkTH4TZXExnMVF9Qa8fRO32ZStMt03b6dLiTWizPucXBqsxU8U74E7hIbEpPRKua
yMV2lqTpUIYLizSC1vJbS02D7AWPOcLeCswhzjXxJR7gJiGmHE/d2S5tw9CpfJ32BZbejMG6b1J1wv5H tUl7eRyP/D/5Bc5Nv3WvdcZw==</auth>
<presence id="euxhE-0" type="unavailable"></presence>
</stream:stream>
Raw Received Packets:
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="chat.mydomain.com"
id="fb0d09c4" xml:lang="en" version="1.0">
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-
sasl"><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth
xmlns="http://jabber.org/features/iq-auth"/></stream:features>
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="chat.mydomain.com"
id="fb0d09c4" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-
sasl"><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth
xmlns="http://jabber.org/features/iq-auth"/></stream:features>
</stream:stream>
To sum up: Openfire works, Spark works, Authentication via AD works, SSO does not work. What am I doing wrong?
Thanks in advance!