Hi guys, I’m quite new to Openfire and I’ve been trying to get it to work with my AD via SSO and am not getting anywhere. I’ve read through a number of posts and tried so many things but still no luck. Not really sure where I’ve gone wrong. I should mention that it works fine without SSO.
My build is a 2008R2 server and domain functional level.
I followed these posts:
https://community.igniterealtime.org/docs/DOC-1060
https://community.igniterealtime.org/docs/DOC-1362
https://community.igniterealtime.org/docs/DOC-2706
The contents of gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files (x86)/Openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="HCS.LOCAL"
principal="xmpp/hcsiis.hcs.local@HCS.LOCAL"
debug=true;
};
The contents of krb5.ini
[libdefaults]
default_realm = HCS.LOCAL
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
HCS.LOCAL = {
kdc = hcsdc1.hcs.local
admin_server = hcsdc1.hcs.local
default_domain = hcs.local
}
[domain_realms]
domain.com = HCS.LOCAL
.domain.com = HCS.LOCAL
Contents of openfire.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file stores bootstrap properties needed by Openfire. Property names must be in the format: "prop.name.is.blah=value" That will be stored as: <prop> <name> <is> <blah>value</blah> </is> </name> </prop> Most properties are stored in the Openfire database. A property viewer and editor is included in the admin console. -->
<!-- root element, all properties must be under this element -->
-<jive> -<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>9090</port> <securePort>9091</securePort> </adminConsole> <locale>en</locale>
<!-- Network settings. By default, Openfire will bind to all network interfaces. Alternatively, you can specify a specific network interfaces that the server will listen on. For example, 127.0.0.1. This setting is generally only useful on multi-homed servers. -->
<!-- <network> <interface></interface> </network> -->
-<connectionProvider> <className>org.jivesoftware.database.EmbeddedConnectionProvider</className> </connectionProvider> <setup>true</setup>
<!-- sasl configuration -->
-<sasl>
<!-- Set this to your Keberos realm name which is usually your AD domain name in all caps. -->
<realm>HCS.LOCAL</realm> -<gssapi>
<!-- You can set this to false once you have everything working. -->
<!-- Set this to the location of your gss.conf file created earlier -->
<!-- "/" is used in the path here not "\" even though this is on Windows. -->
</gssapi> </sasl> -<authorization> <classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList > </authorization> </jive>
When I test the keytab using:
kinit -k -t xmpp.keytab xmpp/hcsiis.hcs.local@HCS.LOCAL password
Nothing happens, which apparently is what’s meant to happen – so I assume its ok?
When I try "kinit xmpp-openfire@hcs.local" I get the below (which doesn’t look quite right):
C:\Program Files (x86)\Java\jre7\bin>kinit xmpp-openfire@HCS.LOCAL
Password for xmpp-openfire@HCS.LOCAL:
Exception: krb_error 0 Checksum failed No error
KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown So
urce)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown So
urce)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.decryptUsingPassword(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.resolve(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown So
urce)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)
... 9 more
Needless to say I’m at a bit of a loss. Any help would really be appreciated.