Some troubles with SSO

Hi, all. I have some troubles with connection to my OpenFire-server by Spark. There are Spark 2.6.3 on Windows 7, Openfire 3.7.0 on Debian Squeeze and Active Directory on Windows Server 2008. When I try to authenticate by SSO I get following messages in my logs

output.log

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is myaccount@MYDOMAIN.LOC

Commit Succeeded

error.log

18.07.2011 18:23:20 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Integrity check on decrypted field failed (31)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 18 more

spark.properties has following content

#Spark Settings

#Mon Jul 18 18:02:33 VLAST 2011

compressionOn=false

jksPath=

resource=Spark 2.6.3

trustStorePath=

hostAndPort=true

ssoRealm=MYDOMAIN.LOC

timeout=10

xmppPort=5222

debuggerEnabled=false

protocol=SOCKS

xmppHost=jabber.mydomain.loc

proxyEnabled=false

trustStorePassword=

ssoMethod=dns

pkiEnabled=false

sslEnabled=false

ssoEnabled=true

ssoKDC=kdc.mydomain.loc

pkiStore=JKS

WireShark tells that Spark requests ticket for the wrong service:

Kerberos KRB-ERROR

Pvno: 5

MSG Type: KRB-ERROR (30)

error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31)

Realm: MYDOMAIN.LOC

Server Name (Unknown): xmpp/kdc.mydomain.loc

Name-type: Unknown (0)

Name: xmpp

Name: kdc.mydomain.loc

Instead right service xmpp/jabber.mydomain.loc

Why does Spark request wrong principal’s ticket despite that I specified jabber.mydomain.loc as connection server at the advanced options before session?

I’ve broken my brain already…

Sorry for my English.

Please review the thread mentioned in this issue: http://issues.igniterealtime.org/browse/SPARK-1327

I’ve read http://community.igniterealtime.org/message/212379, http://community.igniterealtime.org/message/213826 and found no solutions for my problem, but I followed all recomedations. It seems to me problem connected with unexpected Server name in TGS-REQ generated by Spark.

Because, there are KDC-server on the same machine where Active Directory located (kdc.mydomain.loc) and Openfire server (jabber.mydomain.loc). By http://community.igniterealtime.org/docs/DOC-1522 and http://community.igniterealtime.org/docs/DOC-1362 I generated keytab includes xmpp/jabber.mydomain.loc@MYDOMAIN.LOC and set SPN for this service. And now Spark requests ticket for xmpp/kdc.mydomain.loc which I’ve never registered on my KDC. As I understand Spark inserts my KDC-server name taken from properties in TGS-REQ. How I can force Spark to insert Openfire-server name instead KDC-server name (it’s AD- and DNS-server also)?

By the way, today I’ve tried to install Spark 2.5.8 and it formed right TGS-REQ with Server name: xmpp/jabber.mydomain.loc.

Also, I’ve tried Spark 2.6.3 on Windows XP and get following picture. Spark generated TGS-REQ with xmpp/kdc2.mydomain.loc (kdc2 is Secondary AD-, DNS- and KDC-server) which specified nowhere except for DNS-servers. As I understand Spark gets Server name from DNS. Probably it’ll be convenient for me, but what records does Spark use?

In general, How can I force Spark to generate right tickets?

In general, Spark 2.6.3 works incorrect with SSO-authentication because it generates wrong TGS-REQ as I described earlier.

Miranda 0.9.25 and Pidgin 2.9.0 work well.