SSO Single Sign On (Windows) -

Document Sample
SSO Single Sign On (Windows) - Powered By Docstoc
					SSO / Single Sign On (Windows) -...

        sfb 15 posts since
Jul 19, 2006
I've tried SSO before, spending a hours in the evening for several days and got nowhere.
It was tremendously frustrating and I left it. It's been nagging at me ever since and I came
back to it yesterday with renewed determination.

I've just got it working and want to write some thoughts down while still fresh in
mind. I know these are rather haphazard, but I hope they are of use to someone. If
I can clarify anything or answer any questions, please ask sooner rather than later

SSO Configuration is a very good guide. If I'd found it
and followed it first, it might have worked first time.

This setup is Server 2003 (Openfire on the domain controller), Vista client, Latest Openfire
(3.5), latest Spark (2.5.8).

Generated by Jive SBS on 2010-07-01Z
SSO / Single Sign On (Windows) -...

For a while I was confused about naming, as a lot of the examples are in the form
EXAMPLE.COM and SERVER.EXAMPLE.COM, but we run a domain with a subdomain
SITE.EXAMPLE.COM and server of SERVER.SITE.EXAMPLE.COM. I wondered if I ought
to leave out the SITE. part - the answer is no; I should keep it. In the krb5.ini file, in the
ktpass command, everywhere.

Speaking of this, my server-side KRB5.ini looks like this:

default_realm = SITE.EXAMPLE.COM

kdc =
admin_server =
default_domain = SITE.EXAMPLE.COM

I don't seem to need a domain_realms section.

I recommend the latest Openfire, Spark and Java versions. I couldn't tell you precisely why,
but a lot of searching while trying to make this work found people discussing odd problems
with various kerberos/sso settings in Openfire/Wildfire 3.3, Java pre-5.9 and earlier Sparks.

Generated by Jive SBS on 2010-07-01Z
SSO / Single Sign On (Windows) -...

Server side:

When you start Openfire, it reads the openfire.xml configuration and sees the GSSAPI
authentication setting, but it will not try to read gss.conf until you try to authenticate with a
client - so if you are watching with FileMon as I was, don't worry.

      •   In the Openfire console, I had added a system property xmpp.fqdn - it works without
          this. xmmpp.domain is set to the hostname of the server, short form.
      •   The openfire server does not need to be running as any particular user account, e.g.
          the one you created for kerberos or LDAP connections.
          SetSPN adds a ServicePrincipalName tag to a user or server account in
          ActiveDirectory. You can also see this, add it and remove it using ADSIEdit, look
          under the "Domain" option, not the "Configuration" or "Schema", open the OU where
          the user is, and look at the properties of the user account.

              •    Somewhere along the way I ended up with a servicePrincipalName
                   attached to the kerberos user of xmpp/xmpp-
          - this is not the correct
                   format. The @ and everything after it should not be there.
      •   The kerberos user account does not have to be a domain admin
      •   If you get the "Unable to obtain password for user" error in the Openfire logs, the
          keytab file is at fault.
      •   If you get an error about it not being able to find a kdc for your domain, the KRB5.ini
          file is causing problems
      •   If you get an error about pre-authentication being invalid, I think your keytab is
          causing problems. I think the solution is to recreate it with ktpass.exe, but also to
          add the extra option "-ptype KRB5_NT_PRINCIPAL" to the end of the command.
      •   Error "Client not found in kerberos database (6)" is fixed by regenerating my keytab.
          I really don't understand this one - if I run the ktpass.exe against the same kerberos
          user, but a new hostname, and output to a different keytab that openfire is not using,
          then restart openfire it breaks. This suggests that ktpass is doing something else
          behind the scenes apart from creating the keytab and adding the SPN.

Generated by Jive SBS on 2010-07-01Z
SSO / Single Sign On (Windows) -...

Spark client side:

       •   401 Not Authorized error in warn.log - I thought meant the "allowtgtsessionkey"
           registry key was missing, but apparently that's not necessarily true
       •   Spark does not always give helpful errors, "Could not log on with SSO, check your
           server and principal name" comes up even if the server is not running.
       •   Spark (2.5.8) does not, for me, need a krb5.ini file
       •   If you have Spark set to use SSO, then change the server name, the login button
           becomes disabled. Go to the advanced options, remove SSO, OK, then go back and
           enable SSO and OK. The login button is available again.
       •   If you write a server name longer than the textbox, then hover the mouse over the
           advancedbutton, the spark flame graphic becomes messed up and about 15 pixels
           tall. This is not related to SSO at all, but is very weird.

Still, if it's any consolation (which it wont be), I've tried to migrate this setup to another server
- one that is not a domain controller and which has two NICs and an aliased name, and I
can't make it work. Spark is giving me the "401 not authorized" warning, Openfire logs aren't
showing anything at all, but the spark logs show this error is coming from the server.

Tags: spark, windows, active_directory, ad, openfire, sso, principal, vista, krb5.ini, grr

Generated by Jive SBS on 2010-07-01Z