Hi,
I have been fighting with this for weeks and lost literally close to 100 hours trying to work out whats wrong with my SSO setup
Openfire Server
Ubuntu 14.04.2 LTS
Openfire 3.10.3
Java 8
Hostname: SRV-Openfire
IP: 10.0.0.5
LDAP Auth setup to AD
Domain Config
KDC/Auth is Windows 2008 R2 Active Directory
Domain and internal DNS: INT.LOCAL
User Domain: INT.LOCAL
User Email: EXTERNAL.COM.AU
Workstation
Windows 10
Java 8
Spark 2.7.3
DNS Settings
A record in INT.LOCAL for SRV-Openfire to 10.0.0.5
SRV record in INT.LOCAL for _kerberos._udp to AD DC
TXT record in INT.LOCAL for _kerberos to INT.LOCAL
A record in EXTERNAL.COM.AU for im to 10.0.0.5
SRV record in EXTERNAL.COM.AU for _xmpp-client._tcp to im.external.com.au
SRV record in EXTERNAL.COM.AU for _jabber._tcp to im.external.com.au
SRV record in EXTERNAL.COM.AU for _kerberos._udp to AD DC
TXT record in EXTERNAL.COM.AU for _kerberos to INT.LOCAL
Openfire SSO config is as per: SSO Configuration
KDC - KTAB setup:
setspn -A xmpp/im.external.com.au@INT.LOCAL openfire-usr
ktpass -princ xmpp/im.external.com.au@INT.LOCAL -mapuser openfire-user@int.local -pass * -ptype KRB5_NT_PRINCIPAL
ktab -k xmpp.keytab -a xmpp/im.external.com.au@INT.LOCAL
- keytab copied to /etc/openfire/xmpp.keytab on Openfire server
gss.conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/etc/openfire/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="INT.LOCAL"
principal="xmpp/im.external.com.au@INT.LOCAL"
debug=true;
};
Openfire System Properties Added:
sasl.gssapi.config /etc/openfire/gss.conf
sasl.gssapi.debug true
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm INT.LOCAL
xmpp.fqdn im.external.com.au
Workstation Reg Changed:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1
When I launch Spark and set it to use SSO with DNS i see the warning "Spark is unable to find the principal to use for Single Sign-On. This will prevent SSO from working"
from the main window, the username is filled correctly, when i click the arrow beside the username i get "username@external.com.au" when i click it, the server is filled with "external.com.au" and the account text is "Unable to determine"
Im really not sure where i have gone wrong....
Our users are on the INT.LOCAL domain, but we want their accounts to work with Openfire using their email address, which currently works if we manually log in with a username/passwrd and set it to auto detect the server via DNS...
Any help would be much appreciated
Dan
