SSO HELP - Openfire.xml

The client has reverted back to using IQ auth, which means none of the presented SASL options were acceptable. Either your server is (still) not advertising GSSAPI, or the client dosnt think it can use it. In the client when you go to the SSO tab, what do you see?

Attached is a screenshot of just the SSO page.

Checked off is the SSO and below it are filled in my Realm, and KDC.

Thanks

I have yet to get those to work. I use the krb5.ini option with no issues.

Hey Todd,

I tried the krb5.ini file, and when trying to log into my spark client, the following error shows up on the Openfire server:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/openfireserver.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Cannot get kdc for realm DOMAIN.COM

my krb5.ini file is as follows

[libdefaults]
default_realm = DOMAIN.COM
noaddresses = true

[realms]
DOMAIN.COM ={
kdc = domainpdc.domain.com
default_domain = domain.com
}

I can ping domainpdc.domain.com, and I have also tried entering in the IP address, instead of the name, but I got same result

Any suggestions on this error?

Again, thanks for all your help on the setting up of this! The response time that you guys have is phenominal, and I’m sure everyone on here appriciates it!

The redacting of your domain name, realm, and host names is going to be troublesome from this point forward. The errors you are getting are tied very close to what is in DNS, and Kerberos is VERY picky about such things. So you either need to repost that last error unmodified, or if you prefer you can send me the errors in private (will take longer to diagnose in private, though). Without getting the actual names all I can suggest is you re-read the documentation and make double/triple sure that things are correct. CNAME’s more often than not cause problems, so make sure you are not listing aliases anywhere.

YAY I think I’m getting somewhere here now haha

I’m now getting the error:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/dev008.tcs.com@TCS.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/dev008.tcs.com@TCS.COM
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: B3 60 6A A7 AE BA 09 C7 06 CC 8D C3 1E ED 34 6C .`j…4l

Added server’s keyKerberos Principal xmpp/dev008.tcs.com@TCS.COMKey Version 14key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: B3 60 6A A7 AE BA 09 C7 06 CC 8D C3 1E ED 34 6C .`j…4l

    [Krb5LoginModule] added Krb5Principal  xmpp/dev008.tcs.com@TCS.COM to Subject

Commit Succeeded

From the info log on Openfire, I get:

User Login Failed. Failure to initialize security context

*I’ve slightly changed the above keys as I wasn’t sure if they were of security values.

Hello,

Anyone come across the above error before?

Any help is greatly appreciated

Hi

any news about it ?

i have Openfire 3.6.0 in red hat 4 with windows 2003 ad.

i’m unable to get the sso to work to

the client is spark (last version)

Hey,

I still haven’t been able to get it working.

Area you experiencing the same issue, or something else?

Thanks

yeah

i’m having the same issue

in spark i have the same messages in debug mode

i tried most of the configuration of creating the keytab but nothing

in the open fire i don’t have any kind of messages in error or debug logs

in my case, i first created the key in the windows dc and then copy it to the linux and then changed the configuration.(the 2 conf files)

in the second attemped, i used the samba commands to create/change the kerberos key but still nothing

in the client (spark) i added the regkey but nothing.

i am able to enter manually but when i activate the sso…no luck

I have sso working with openfire on a linux machine and 2003 dc’s.

do you have multiple keytab’s created for your user now (probably if you have attempted more than once)?

on the dc:

setspn -l username

to delete:

setspn -d xmpp/yourhost.yourdomain.com username

recreate with ktpass -princ xmpp/yourhost.yourdomain.com@YOURDOMAIN.COM -mapuser username -pass PASSWORD -out unique_filename

and then transfer that to the server.

some things to also consider when doing sso, does the time on the chat server and your clients match the dc? as picky as kerberos is about dns, its as picky about the time

do you have kerberos tools installed on your openfire server?

if you run the following command several times:

nslookup yourchatservername.com

will it always give the same result or do you have multiple names out there? This caused me much grief.

**edit, I also had problems with the ktpass included on 2003. I believe I had to use an older version, it doesn’t list a version but it was created in 1999. I have no idea what the difference is but the one on 2003 server didn’t work for me (could have been coincedence)

sorry by the delay

i double check the configurations but still not working

i check in the dc with setspn -l and i only have xmpp/server.domain.com and the other with @DOMAIN.COM

in the spark debug i get this

myuser

spark

Hey,

I’m getting the same message as that as well now.

Thanks and regards

in spark logs i get this…

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Identifier doesn’t match expected value (906))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Identifier doesn’t match expected value (906))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 9 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.PAData.(Unknown Source)

at sun.security.krb5.internal.KRBError.(Unknown Source)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 12 more

I’m having exactly the same issue !

My configuration is :

  • Openfire 3.6.2 on Windows 2003 Server - SP2

  • Java 1.6.0_11 Sun Microsystems

  • Active Directory on Windows 2003 Server - SP2

  • Spark 2.5.8

  • Only SSO / GSSAPI has never been working.

On the Spark client, the connection ends with :

prdd01501 spark

It would be great if anyone has fixed this issue

I’m going to second that I’m having the exact same issue!

From what I can tell there are at least half a dozen other posts with very similar issues:







I get the very specific response on the client of:

I’ve reviewed the documentation and rerun the setup process quiet a few times. I’m currently thinking there is a problem with the ability of my xmpp-openfire user to query AD for the credentials. Although, it says that the xmpp-openfire user only needs to be in Domain Users.
Perhaps the keytab just isn’t working? Not sure if there is a way to test just that piece?

Can anyone with more info narrow down the problem with the 401 errors a bit further? Or can it really be cause by any part of the SSO setup?

Eh…the raw HTML block didn’t show up…

But it’s the same 401 error on the client as listed above. Sans html, its:

error code=401 type=AUTH

not-authorized xmlns=urn:ietf:params:xml:ns:xmpp-stanzas

/error

So, today I used the ldp utility on my DC to look into my xmpp-openfire users servicePrincipalName property - and found an error there. So I deleted and recreated the user. Reran the setup steps…and…

Still getting the 401 error when attempting to use SSO :frowning:

I also noticed quite a difference in the Smack Debug connection log when attempting to use SSO, versus providing the password manually (which logs me in just fine).

With SSO enabled, the password field is empty. Just - however, it’s there in plain text (IMPORTANTSTUFFHERE) when using the manual approach.

Can anyone confirm if that is correct? Or is the Spark client having trouble getting access to my windows authentication information?

Hi ma_geek,

It seems there is an issue with SSO and GSSAPI enabled : the first time the user connects, he needs to provide his password.

But I think SSO is working fine afterwards because even if the user’s password is changed in Active Directory, the user can still connect to Openfire server using SSO (without having to change his password for this connection).

So it looks that the user has to connect once with his password to enable SSO.

Best regards

Huh. It seems that’s the case!

Well, at least I have a rather detailed understanding of the various pieces which need to be in place, as I’ve gone over and over them a few hundred times now.

I did change my password and watch as Spark picked it up - so I’m good to go.

Thanks!