powered by Jive Software

GSSAPI-SSO not working

Hey guys,

after following step by step this document made by Jonathan Murch, i managed to get SSO working for just one time.

Since then i´ve changed nothing.

I get this error in the Spark-Logs:

WARNUNG: Exception in Login:
SASL authentication failed:   -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: animal.muppets.local@MUPPETS.LOCAL)]
          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)
          at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanism.java:86)
          at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:319)
          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
          at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
          at java.lang.Thread.run(Unknown Source)
Nested Exception: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: animal.muppets.local@MUPPETS.LOCAL)]
          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)
          at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanism.java:86)
          at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:319)
          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
          at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
          at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: animal.muppets.local@MUPPETS.LOCAL)
          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          ... 10 more
Caused by: java.net.UnknownHostException: animal.muppets.local@MUPPETS.LOCAL
          at java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
          at java.net.InetAddress$1.lookupAllHostAddr(Unknown Source)
          at java.net.InetAddress.getAddressFromNameService(Unknown Source)
          at java.net.InetAddress.getAllByName0(Unknown Source)
          at java.net.InetAddress.getAllByName(Unknown Source)
          at java.net.InetAddress.getAllByName(Unknown Source)
          at java.net.InetAddress.getByName(Unknown Source)
          at sun.security.krb5.internal.UDPClient.<init>(Unknown Source)
          at sun.security.krb5.KrbKdcReq$KdcCommunication.run(Unknown Source)
          at java.security.AccessController.doPrivileged(Native Method)
          at sun.security.krb5.KrbKdcReq.send(Unknown Source)
          at sun.security.krb5.KrbKdcReq.send(Unknown Source)
          at sun.security.krb5.KrbKdcReq.send(Unknown Source)
          at sun.security.krb5.KrbTgsReq.send(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
          at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
          ... 13 more

Anyone knows how to solve this poblem?

Windows Server 2012 R2 as DC/KDC and Openfire

Windows 7 Professional as Client

Keytab is located in *\openfire\resources\

krb5.ini in C:\Windows on both machines

[libdefaults]
default_realm = MUPPETS.LOCAL
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]
MUPPETS.LOCAL = {
kdc = animal.muppets.local@MUPPETS.LOCAL
admin_server = animal.muppets.local@MUPPETS.LOCAL
default_domain = muppets.local
} [domain_realms]
domain.com = MUPPETS.LOCAL
.domain.com = MUPPETS.LOCAL

gss.conf in *\openfire\conf\

com.sun.security.jgss.accept {
          com.sun.security.auth.module.Krb5LoginModule
          required
          storeKey=true
          keyTab="C:/openfire/resources/xmpp.keytab"
          doNotPrompt=true
          useKeyTab=true
          realm="MUPPETS.LOCAL"
          principal="xmpp/animal.muppets.local@MUPPETS.LOCAL"
          debug=true;
};