Hi, all. I have some troubles with connection to my OpenFire-server by Spark. There are Spark 2.6.3 on Windows 7, Openfire 3.7.0 on Debian Squeeze and Active Directory on Windows Server 2008. When I try to authenticate by SSO I get following messages in my logs
output.log
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is myaccount@MYDOMAIN.LOC
Commit Succeeded
error.log
18.07.2011 18:23:20 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed:
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
Nested Exception:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
… 10 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.KrbTgsRep.(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
… 13 more
Caused by: KrbException: Identifier doesn’t match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.(Unknown Source)
… 18 more
spark.properties has following content
#Spark Settings
#Mon Jul 18 18:02:33 VLAST 2011
compressionOn=false
jksPath=
resource=Spark 2.6.3
trustStorePath=
hostAndPort=true
ssoRealm=MYDOMAIN.LOC
timeout=10
xmppPort=5222
debuggerEnabled=false
protocol=SOCKS
xmppHost=jabber.mydomain.loc
proxyEnabled=false
trustStorePassword=
ssoMethod=dns
pkiEnabled=false
sslEnabled=false
ssoEnabled=true
ssoKDC=kdc.mydomain.loc
pkiStore=JKS
WireShark tells that Spark requests ticket for the wrong service:
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31)
Realm: MYDOMAIN.LOC
Server Name (Unknown): xmpp/kdc.mydomain.loc
Name-type: Unknown (0)
Name: xmpp
Name: kdc.mydomain.loc
Instead right service xmpp/jabber.mydomain.loc
Why does Spark request wrong principal’s ticket despite that I specified jabber.mydomain.loc as connection server at the advanced options before session?
I’ve broken my brain already…
Sorry for my English.