Openfire SSO Configuration

Hi guys,

I'm setting a Openfire 3.10.1 server in Redhat 6.4 use SSO and Kerberos authentication. My client is CentOS 6.4.  I followed the instruction from Openfire: Enable Single Sign On (SSO) on Linux - Spiceworks  and https://www.redhat.com/archives/freeipa-users/2012-February/msg00085.html

Now here is my configure file:

the gss.conf configure file:

xmpp ODW [/opt/openfire/conf] 815# cat gss.conf

com.sun.security.jgss.accept {

    com.sun.security.auth.module.Krb5LoginModule

    required

    storeKey=true

    keyTab="/opt/openfire/keytab/krb5.xmpp.keytab"

    doNotPrompt=true

    useKeyTab=true

    realm="DOMAIN.COM"

    principal="xmpp/xmpp.domain.name@DOMAIN.COM"

    useFirstPass=true

    debug=true;

    isInitiator=false;

};

These settings used to be saved in the openfire.xml file. But now its in the server database

sasl.gssapi.config  /opt/openfire/conf/gss.conf      

sasl.gssapi.debug  true

sasl.gssapi.useSubjectCredsOnly   false       

sasl.mechs   GSSAPI        

sasl.realm  DOMAIN.com    

xmpp.domain   xmpp.domain.com       

xmpp.fqdn    xmpp.domain.com

Keytab file put in /opt/openfire/keytab/krb5.xmpp.keytab

Use kinit -k -t /opt/openfire/keytab/krb5.xmpp.keytab xmpp/xmpp.domain.name@DOMAIN.NAME -V get the output:

Using default cache: /tmp/krb5cc_0.1

Using principal: xmpp/xmpp.domain.name@DOMAIN.COM

Using keytab: /opt/openfire/keytab/krb5.xmpp.keytab

Authenticated to Kerberos v5

In my client I use Pidgin Pidgin 2.10.11 and enabled cyrus-sasl. When launch pidgin client in my workstation as debug module, I can see successfully verified certificate from server. And I just need setup my username and domain name, it will not let me input the password, and in my client use klist command, I can see I got the ticket from openfire server. But it has an error is : server closed the connection. Then I checked the log in server error.log, there is an error message:

2015.06.26 19:13:51 org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to error while processing message: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='GSSAPI' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'>long token</auth>

java.lang.SecurityException: Configuration Error:

    Line 11: expected [controlFlag]

    at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)

    at sun.reflect.GeneratedConstructorAccessor52.newInstance(Unknown Source)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

    at java.lang.reflect.Constructor.newInstance(Unknown Source)

    at java.lang.Class.newInstance(Unknown Source)

    at javax.security.auth.login.Configuration$2.run(Unknown Source)

    at javax.security.auth.login.Configuration$2.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)

    at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)

    at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jgss.LoginConfigImpl.<init>(Unknown Source)

    at sun.security.jgss.GSSUtil.login(Unknown Source)

    at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Unknown Source)

    at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

    at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

    at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

    at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

    at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)

    at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

    at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)

    at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

    at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

    at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :277)

    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:173)

I suspect it maybe is the Java version problem, so I downloaded Java 1.7.0_79 replace the Java version which come from openfire. But still get the same error, I don't know which configure is wrong, is anyone have suggestion with it?

Thanks.