"Unable to connect using Single Sign-On. Please check your principal and server settings."
Hello all. I am running into this same issue. After hours of troubleshooting.. Bummer too, the Openfire setup and MySQL install with LDAP integration was done in less than 30 minutes. Here are my setup details, I know it is an old post, but if anyone has insight I would appreciate hearing back.
My setup:
-OpenFire server 3.9.3 running on Ubuntu 14.04
- MySQL 5.6.19
-Authenticating via Kerberos against AD domain at Windows 2008 R2 level. (Forest and Domain are set to 2008 R2)
-KDC is Windows 2012 R2 domain controller
-Spark 2.6.3 running on Windows 7 x64
-Server Java:
java version "1.7.0_65"
OpenJDK Runtime Environment (IcedTea 2.5.3) (7u71-2.5.3-0ubuntu0.14.04.1)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)
Here are the articles and blog posts I am following to complete setup:
Openfire: Enable Single Sign On (SSO) on Linux - Spiceworks
Install Spark XMPP client and deploy its settings (inc.SSO) with a group policy - Spiceworks
How to Setup SSO on Windows Server 2008r2 with a Domain level of 2008r2
Initial Kerberos testing checks out on the Ubuntu sever. I am able to see cached tickets.
I mapped the spn using ktpass from the domain controller, but also used it to export the keytab file:
ktpass -princ xmpp/openfireserver.domain.local@INTERNALDOMAIN.LOCAL -mapuser xmpp-openfire@DOMAIN.LOCAL -pass * -ptype KRB5_NT_PRINCIPAL -out c:\xmpp.keytab -crypto all
After copying the keytab file to the ubuntu server I used the following command to test it:
kinit -k -t xmpp.keytab xmpp/openfireserver.domain.local@INTERNALDOMAIN.LOCAL
I am suspicious of the domain functional level and supported authentication mechanisms by Openfire server.. However the documentation around the SSO configuration doesn't seem to mention it. There are multiple blog posts that mention Openfire supports only "older" authentication encryption methods and you might see this break after server 2003 functional level.. However the kind sir that started this post seems to be running 2003.
Anyhow, I'm about to give up after about 16 hours of trying. A shame.. The new vCenter appliance has a "wizard" for SSO.. You manually create the SPN, but after completing the wizard it is up and running in just a few minutes. Put it on the openfire server development request list I guess.
Ps.. After downloading the Java jce_policy-6 files and moving local_policy.jar and US_export_policy.jar to the ..\Spark\jre\lib\security folder I had the same error. But when I tried the jce_policy-7 and jce_policy-8 files during troubleshooting the error would never come up. Authentication would just hang until Spark was closed with Task Manager.
Adam Tyler