Can't Get SSO Working in Windows Environment

Hi All,

I’m an opnefire newb over here. I was able to setup Openfire 3.8.1 on Windows 2008 R2 using ldap lookup. I’m hoping to get SSO working now, but I’m failing consistently and I’m about 20 hours deep into this thing. I’ve read just about every post in the forum regarding SSO and made tweaks when I saw fit, but I still can’t get it to go…The client is a 2008 R2 Remote Desktop server.

I can post all my files if need be: gss.conf, krb5.ini, openfire.xml, or any error logs.

I’ve recreated the keytab file a few times, made my xmpp-openfire AD user a Domain admin, and the list goes on…I’m also fairly certain that I’m using the proper fqdn of the server everywhere it needs to be.

Here is the error I see the Spark error.log:

May 8, 2013 11:23:55 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:109)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 362)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

We do have sub domains here, however I created a test user in the top level domain and I’m still receiving the error. Any thoughts or help would be much appreciated and I will pay it forward in the forum as I’m a member now and plan on using Openfire for a long time…

Thanks!

Let me know if this helps or if you have any questions.

http://community.igniterealtime.org/docs/DOC-2585

Thanks for the reply speedy.

I went through and verified everything, but I’m still not able to connect.

In my local spark error.log, I’m getting the following error now:

Attempt to obtain new INITIATE credentials failed!

and this:

Could not load configuration file \krb5.ini (The system cannot find the file specified)

I can verify that krb5.ini is in the C:\windows directory

Thanks!

sounds like a permissions issue or something else with your krb5.ini file. you may try recreating it

Also, since you are running this in RDS, spark maybe trying to find krb5.ini in %userprofile%\windows. You could verify this by placing the krb5.ini there or by running a procmon

I added the ‘Everyone’ group to have permissions to read/write the file in the C:\windows directory, but I got the same result.

I moved the krb5.ini file to %userprofile%\windows, same result.

The following is my local spark error.log:

javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Could not load configuration file \krb5.ini (The system cannot find the file specified))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(Unknown Source)

at javax.security.sasl.Sasl.createSaslClient(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:85)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: Invalid name provided (Mechanism level: Could not load configuration file \krb5.ini (The system cannot find the file specified))

at sun.security.jgss.krb5.Krb5NameElement.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getNameElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.getElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.init(Unknown Source)

at sun.security.jgss.GSSNameImpl.(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)

… 11 more

is uac enabled? may try disabling it if it is. also try running procmon

I’ve had some problems with remote desktop clients on W2008 R2 and SSO. My solution was to create a scheduled task that ran Spark on startup with elevated privileges.

I verified that UAC is disabled.

I found that it was reading the local jar security files for java, so I replaced them with the ones that were mentioned in another post. (US_export_policy.jar and local_policy.jar)

I ran procmon and found that Spark was looking for krb5.ini at C:\ - not in C:\Windows. I moved the file there, now I’m getting varied results, so I think it’s a step in the right direction.

I told spark to ‘Run as Administrator’ both from my domain admin account and from a test user with no admin permissions.

From my domain admin account I see the following error in warn.log: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]

*From my the account with no admin permissions I see the following error in warn.log: *javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

Note - I am running my domain admin account on one RDS server and the user level account is on another.

Thanks again for the replies! We will get to the bottom of this!!!

ok…the new error you are getting is with kerberos. If your domain level is 2008r2, you’ll need to allow for DES encryption types.