Fresh Deployment - SSO issue

Hello All,

First time deploying Spark in an environment - Waded thru some of the user created documents online to set it up as a Windows Service, integrated with AD, set the encryption types in Group Policy to allow DES, had an issue with the server running thru setup every time after reboot (found that I had to put the SASL/GSSAPI info before the ending /jive tag). Also added the TGT regedit to a PC that I am testing with and rebooted.

Now I have run into something that I cant figure out… My Spark Clients when checking the SSO tab, displays the correct user ID, however it wont SSO login with Check your principal and server settings. The client logs a 401 type AUTH error via the debugger.

On the server end in the ERROR log, I see a java.io.IOException “E:/Program Files (x86)/Openfire/conf/gss.conf” (no such file or directory) error… So I am thinking it cant read the file to know how to handle the SSO request. I certainly can verify that the file exists and I paid careful attention to ensure in the openfire.xml file that I used / instead of \ even if its a Server 2008 R2 machine. I installed the latest version from the community (4.0.2) and used the EXE with the built in JRE.

Anyone have any ideas?

Thank you for your time,

Kyle

you really shouldn’t use DES. Undo what you did and follow this guide! Let me know if you have any questions.

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Ok - these instructions were different than any others but I have made the modifications and used your KRB5 template and GSS template and now I dont see the error relating to cant find the gss file, however still cant SSO login on a client.

I should note that OpenFire server is installed on a 2008 R2 Server and my 2 other Domain Controllers are 2008 R2, but the domain functional level is still 2003.

going to need a bit more info. can you provide a snip it from the logs in both openfire and spark. did you remove the DES group policy, and recreate your key file as outlined? also, making sure your ldap filter is correct, can you sign using your network creds, without sso?

Client running the Smack Debug shows:

a Get packet - IQ Sent

error -

ping xmlns=“urn:xmpp:ping”/>

Server:

No errors in error log.

warn:

2016.03.30 11:36:01 org.jivesoftware.openfire.spi.LegacyConnectionAcceptor - Configuration allows for up to 16 threads, although implementation is limited to exactly one.

2016.03.30 11:36:04 org.jivesoftware.admin.LoginLimitManager - Failed admin console login attempt by admin from 127.0.0.1

2016.03.30 11:36:13 index.jsp - Failed to fetch RSS feed:

com.sun.syndication.fetcher.FetcherException: The requested resource could not be found. HTTP Response code was:401

at com.sun.syndication.fetcher.impl.AbstractFeedFetcher.throw4XXError(AbstractFeed Fetcher.java:176)

at com.sun.syndication.fetcher.impl.AbstractFeedFetcher.handleErrorCodes(AbstractF eedFetcher.java:169)

at org.jivesoftware.util.HttpClientWithTimeoutFeedFetcher.retrieveFeed(HttpClientW ithTimeoutFeedFetcher.java:172)

at org.jivesoftware.openfire.admin.index_jsp._jspService(index_jsp.java:357)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1669)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:53)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:80)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:162)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:22 3)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:11 27)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185 )

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:106 1)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandler Collection.java:215)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:110)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:499)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635 )

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

at java.lang.Thread.run(Unknown Source)

2016.03.30 11:36:18 org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to exception in session: (0x00000005: nio socket, server, null => 0.0.0.0/0.0.0.0:5222)

java.io.IOException: An existing connection was forforcibly closed by the remote host

The info log has a lot of info and debug log as-well that scrolled off.

can you check the log files located in c:\program files\spark\log please

Sure - From the Client it says:

Output.log says

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

Acquire TGT from Cache

Principal is Administrator@LST1.LOCAL

Commit Succeeded

what about ~\AppData\Roaming\Spark\logs

looking at warning and errors

Also interesting and not sure if it makes a difference -

When I turn off SSO and log in with the “Administrator” Account, valid password

The debug window shows administrator@las-spark/Spark - which I figured since my domain is LST1.LOCAL - is there a disconnect with a setting in Openfire? The login does work. Here is the warn log from the AppData\Roaming:

Mar 30, 2016 12:20:55 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1105)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:333)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:867)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1105)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:333)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:867)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 19 more

it looks like its trying to pull a DES key. (type 7).

Did you uncheck “use kerberos DES encryption type for this account” for the keytab user account?

After you do that, you’ll need to recreate your keytab file using the command line in the link I provided.

based on your document I created keytab account freshly, but based on a different thread I remembered they had “Do not require kerberos authentication checked”… Should that be unchecked and then regenerate keytab file?

Second, DES wasn’t checked and the AES 128bit is checked.

yes…it should be unchecked

Alright - Recreated the keytab file and stopped the service on the server, replaced the file and booted it back up but same error on client.

Here is my KRB5.ini file:

[libdefaults]

default_realm = LST1.LOCAL

[realms]

DOMAIN.LOCAL = {

kdc = LASDC01.LST1.LOCAL

admin_server = LASDC01.LST1.LOCAL

default_domain = LST1.LOCAL

}

[domain_realms]

domain.com = LST1.LOCAL

.domain.com = LST1.LOCAL

it should look like this. . changes are underlined.

[libdefaults]

default_realm = LST1.LOCAL

[realms]

LST1.LOCAL = {

kdc = lasdc01.lst1.local

admin_server = lasdc01.lst1.local

default_domain = lst1.local

}

[domain_realms]

lst1.local = LST1.LOCAL

.lst1.local = LST1.LOCAL

ok - a little more progress… Now just a singular error in the warn.log

Mar 30, 2016 1:30:00 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication GSSAPI failed: not-authorized:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 342)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1105)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:333)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:867)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

check your pm

try running “as administrator” sometimes this can cause problems with UAC if your account is an elevated account, ie admin

No go by running as Administrator. based on your PM does this look like a syntax issue on my part in maybe the keytab? If I ran wireshark and uploaded a pcap would that help? Looking for something in particular?

Also I ran a check on the SPN - here is the output.

C:\Users\kb>setspn -L lst1\keytab

Registered ServicePrincipalNames for CN=keytab,CN=Managed Service Accounts,DC=LS

T1,DC=LOCAL:

xmpp/las-spark.LST1.LOCAL

xmpp/LAS-SPARK.LST1.LOCAL@LST1.LOCAL

yeah…you can do that. yes…im looking for the key exchange and encryption type that is request. you can go ahead and post a pcap if you like, but that might have a bit more information than youre willing to post online!