Add support for Kerberos/NTLM (experimental status)


Add support for Windows Kerberos/NTLM as an authentication method. This would allow true single sign-on support. So far, Pandion is the only client known to have support for this on the client side. Request at:

In a future version we would need to provide easy ways to do setup from the admin console.




santiago bravo
May 17, 2007, 8:47 PM

Many thanks the problem was :
<realm>ECOA30.ERY.COM</realm> (fails)

Instead of this

<realm>ECOA30</realm> (correct )

Norman Rasmussen
May 17, 2007, 6:26 PM

Your config.jive.sasl.realm variable should be set to ECOA30, and you need to configure the authorization.classList to include the StrictAuthorizationPolicy. It looks like openfire can't find the authorization element, so my guess is that either you missed it, or you duplicated the provider element.

santiago bravo
May 16, 2007, 1:34 AM

I use
Pandion v2.5
WildFire v3.2.4
config with SASL-SSPI v6.2

if I configured Pandion Integarded Windows Authentication and not conect

the logs of WildFire is:

2007.05.03 13:23:07 No AuthorizationProvider's found. Loading DefaultAuthorizationPolicy
2007.05.03 13:23:07 santiago@ECOA30 not authorized to santiago
2007.05.03 13:23:07 SaslException SSPI: santiago@ECOA30 is not authorized to act as santiago
at Method)
at org.jivesoftware.wildfire.nio.ConnectionHandler.messageReceived(
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(
at org.apache.mina.filter.executor.ExecutorFilter$
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$ Source)
at Source)

Somebody knows that it is what he passes
Dispense English to me

Jay Kline
January 27, 2007, 1:03 PM

I fixed a bug with GSSAPI-

In (near line 194) when we create the SaslServer object, we have to give the server name. To get the server name, we had just used session.getServerName() . The problem with that, is that method returns whatever the xmpp.domain property is set to. When using GSSAPI the server name needs to be the FQDN. So to get the FQDN we can use session.getConnection().getInetAddress().getCanonicalHostName() instead. Fairly simple change.

However, if the SASL method is not GSSAPI but using some other method that is expecting the xmpp.domain, it will break. An example is DIGEST-MD5.

The JavaDoc for SaslServerFactory says that the server name paramater to createSaslServer must be the FQDN, so it might work. Currently my SASL libraries on my client has a bug in it that crashes every time CRAM-MD5 gets used, so I cant verify.

Jay Kline
August 23, 2006, 7:52 AM

I hate Kerberos errors. "Failed to find any Kerberos Key" could mean just about anything. The fact that it works with the domain==realm tells me Kerberos and DNS are configured correctly. I would like to see Kerberos debugging output from the client side as well. Also, there is more debugging output- you have debug=true in the gssapi.conf, that output goes to stderr, so nohup.out or something should have more messages.

It concerns me that the exception is coming from, since none of my code has had a chance to look at the credentials yet (its all Java internals at that point). Can you double check that NOTHING else has changed but the domain setting between your configurations?



Gaston Dombiak