Mac OS X Server version 10.5: iChat client does not authenticate with Active Directory credentials

Issue or symptom

When authenticating to a Mac OS X Server version 10.5 iChat server that is bound to Active Directory, clients that are not configured to use Kerberos will not be able to authenticate, when using Active Directory credentials.


Solution

Either configure the iChat client to use Kerberos authentication or disable the use of CRAM-MD5 authentication on the iChat server.

Option 1: Configure a client to use Kerberos

  1. In iChat, choose Preferences from the iChat menu.
  2. Click the Accounts pane.
  3. Click the "Server Settings" tab.
  4. Enable (check) the "Use Kerberos v5 for authentication" box.


Option 2: Disable use of CRAM-MD5 authentication on the iChat server

To do this, you will need to edit the authentication settings in the file /etc/jabberd/c2s.xml and restart the jabberd service:

  1. Open the file /etc/jabberd/c2s.xml: sudo pico /etc/jabberd/c2s.xml
  2. In the editing window, locate the authentication settings:

    <traditional>
    <plain/>
    <cram-md5/>
    <!--
    <digest/>
    <zerok/>
    -->
    </traditional>

  3. To disable CRAM-MD5 authentication, comment out the line containing "<cram-md5/>" by adding "<!--" at the beginning of the line, and "-->" at the end:

    <traditional>
    <plain/>
    <!-- <cram-md5/> -->
    <!--
    <digest/>
    <zerok/>
    -->
    </traditional>

  4. Save the changes (press Control-O), and exit pico (press Control-X)
  5. Restart the jabberd service, like this: 
launchctl unload /System/Library/LaunchDaemons/org.jabber.jabberd.plist
launchctl load /System/Library/LaunchDaemons/org.jabber.jabberd.plist

Published Date: Feb 20, 2012