Auto Discovery and Automatic Login

I think that everything is about to be fixed. I am still getting a login error from the machines when trying SSO. I’ve attached some screen shots. Please see if you see anything wrong. Below is some information:

Openfire Server Name: GCBEIM

Domain Name: GCBE.local

DC: Arwen.GCBE.local

I tried using the Java keytab way but I kept getting errors. I tried the windows way and got no more errors. I used your registry file on the client. Does that need to be put on the server? Below are my configs and logs:

==================

info.log

==================

2008.07.11 14:40:19 Openfire 3.5.2

2008.07.11 14:40:22 Admin console listening at http://127.0.0.1:9090

2008.07.11 15:04:05 Missing database schema for openfire. Attempting to install…

2008.07.11 15:04:05 Database update successful.

2008.07.11 15:07:47 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:07:47 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:08:02 Started server (unencrypted) socket on port: 5269

2008.07.11 15:08:02 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:08:02 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:10:27 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:10:27 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:10:28 Openfire 3.5.2

2008.07.11 15:10:31 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:10:31 Started server (unencrypted) socket on port: 5269

2008.07.11 15:10:31 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:10:31 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:13:51 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:13:51 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:13:52 Openfire 3.5.2

2008.07.11 15:13:54 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:13:54 Started server (unencrypted) socket on port: 5269

2008.07.11 15:13:54 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:13:54 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:16:29 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:16:29 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:16:30 Openfire 3.5.2

2008.07.11 15:16:33 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:16:33 Started server (unencrypted) socket on port: 5269

2008.07.11 15:16:33 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:16:33 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:17:42 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:17:42 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:17:43 Openfire 3.5.2

2008.07.11 15:17:45 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:17:45 Started server (unencrypted) socket on port: 5269

2008.07.11 15:17:46 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:17:46 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:21:03 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:21:03 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:21:04 Openfire 3.5.2

2008.07.11 15:21:07 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:21:07 Started server (unencrypted) socket on port: 5269

2008.07.11 15:21:07 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:21:07 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:23:55 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:23:55 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:23:56 Openfire 3.5.2

2008.07.11 15:23:58 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:23:58 Started server (unencrypted) socket on port: 5269

2008.07.11 15:23:59 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:23:59 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:25:55 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:25:56 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:25:57 Openfire 3.5.2

2008.07.11 15:26:03 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:26:03 Started server (unencrypted) socket on port: 5269

2008.07.11 15:26:03 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:26:03 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:30:18 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:30:18 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:30:19 Openfire 3.5.2

2008.07.11 15:30:21 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:30:22 Started server (unencrypted) socket on port: 5269

2008.07.11 15:30:22 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:30:22 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:30:37 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:30:37 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:30:38 Openfire 3.5.2

2008.07.11 15:30:40 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:30:40 Started server (unencrypted) socket on port: 5269

2008.07.11 15:30:40 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:30:40 Started SSL (encrypted) socket on port: 5223

2008.07.11 15:42:22 Multi User Chat domain: conference.gcbeim.gcbe.local

2008.07.11 15:42:23 Publish-Subscribe domain: pubsub.gcbeim.gcbe.local

2008.07.11 15:42:24 Openfire 3.5.2

2008.07.11 15:42:27 Admin console listening at:

http://gcbeim.gcbe.local:9090

https://gcbeim.gcbe.local:9091

2008.07.11 15:42:27 Started server (unencrypted) socket on port: 5269

2008.07.11 15:42:27 Started plain (unencrypted) socket on port: 5222

2008.07.11 15:42:27 Started SSL (encrypted) socket on port: 5223

====================

warn.log

====================

2008.07.11 15:04:05 Error when trying to update to new name

java.sql.SQLException: Table not found in statement

at org.hsqldb.jdbc.Util.throwError(Unknown Source)

at org.hsqldb.jdbc.jdbcPreparedStatement.)

at org.jivesoftware.database.SchemaManager.updateToOpenfire(SchemaManager.java:299 )

at org.jivesoftware.database.SchemaManager.checkOpenfireSchema(SchemaManager.java: 67)

at org.jivesoftware.database.DbConnectionManager.setConnectionProvider(DbConnectio nManager.java:488)

at org.jivesoftware.openfire.admin.setup.setup_002ddatasource_002dsettings_jsp._js pService(setup_002ddatasource_002dsettings_jsp.java:155)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1093)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:66)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:42)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:70)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:99)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)

at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)

at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)

at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)

at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)

at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:206)

at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)

at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)

at org.mortbay.jetty.Server.handle(Server.java:324)

at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)

at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:829)

at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)

at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)

at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)

at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)

at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)

2008.07.11 15:08:23 Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.

2008.07.11 15:08:23 Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.

2008.07.11 15:12:20 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at com.sun.security.sasl.gsskerb.GssKrb5Server.(Unknown Source)

at sun.security.krb5.KrbAsReq.getReply(Unknown Source)

at sun.security.krb5.Credentials.sendASRequest(Unknown Source)

at sun.security.krb5.Credentials.acquireTGT(Unknown Source)

… 47 more

Caused by: java.security.GeneralSecurityException: Checksum failed

at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)

at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)

… 54 more

2008.07.11 15:14:09 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at com.sun.security.sasl.gsskerb.GssKrb5Server.(Unknown Source)

at sun.security.krb5.KrbAsReq.getReply(Unknown Source)

at sun.security.krb5.Credentials.sendASRequest(Unknown Source)

at sun.security.krb5.Credentials.acquireTGT(Unknown Source)

… 47 more

Caused by: java.security.GeneralSecurityException: Checksum failed

at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)

at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)

… 54 more

2008.07.11 15:16:44 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

at com.sun.security.sasl.gsskerb.GssKrb5Server.(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

… 25 more

2008.07.11 15:17:58 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

at com.sun.security.sasl.gsskerb.GssKrb5Server.

image/jpeg

=========================

krb5.ini

=========================

default_realm = GCBE.LOCAL

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

GCBE.LOCAL = {

kdc = Arwen.GCBE.local

admin_server = Arwen.GCBE.local

default_domain = GCBE.local

}

gcbe.local = GCBE.LOCAL

.gcbe.local = GCBE.LOCAL

Any help would be great!

I am getting a new error now. Would you know what this means?

error.log (spark client)

==========================

javax.security.sasl.SaslException: GSS initiate failed Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 9 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

… 17 more

Jul 14, 2008 8:37:52 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

One of your config files does not have a correct FQDN for the server in it. You need to always use a FQDN for the server. It must be listed in AD (Users and Computers, DNS, etc) exactly like you enter it in all your config files (krb5.ini, gss, keytab, openfire setup, etc). FQDN is the key to making all this work.

Which config was it? I looked through openfire.xml and gss as well as the krb file.

Thanks!

Is it possible to use an IP and not the FQDN in the configs?

I do not think so.

OK. Well I won’t try it that way. What config had the wrong FQDN?

Not really sure… check your email, i sent you a message to your hotmail account.

Just emailed back. This chat was getting a bit confusing. Thanks again!

It sounds like you are confused about what the host names are. In “The Perfect World” each host would have exactly one name, and this would be easy. But thats not the case, most hosts these days have multiple names that can be used (IPs, aliases, truncated names, etc), so we have a concept called Fully Qualified Domain Name. This is The One True Name for a server. How does one figure this out? Use reverse lookup. So use nslookup on the ip address of the server, and it will tell you what the FQDN is.

Ok, so you have that, but we wont use it everywhere (at least, its not guaranteed). Openfire has its own DNS entries, so you may use something like chat.example.com for your clients. So what do you use where?

In the keytab file, you MUST have the FQDN.

In the Spark login server name, you MUST use the Openfire name.

In Openfire, you MUST set xmpp.domain to the Openfire name (should be set already)

In Openfire, you MUST set xmpp.fqdn to the FQDN.

The error you see below tells me that Spark looked up the FQDN of the host its connecting to, and tried to request a ticket for xmpp/@YOUR.REALM and it turns out it dosnt exist.

Hey slushpuppie!

Thanks for the help! I’ve attached the debog log that mtstravel had me do. I will check those four things you listed. Does that log help any?
debug.log (17089 Bytes)

double post
debug.log (17089 Bytes)

Attached is a larged and updated debug log. I hope this helps.
debug.log (28922 Bytes)

slushpupie:

It appears that all four things you listed involving names are set correctly now. I didn’t have a xmpp.fqdn property.