I give up! SSO

Hi,

I realise that there are lots of these posts but I have tried rooting through so many of them I’ve lost count - I think my particular issue is not unique but as I simply can’t draw in all of the threads of discussion to zero in on my problem I thought I’d post it here.

Basically, we have Windows 2003 Server box with Openfire 3.6.4 installed

I have run through the configuration for AD/SSO - pretty sure the AD setup worked as I have the list of groups/users I want listed. I have then performed the following steps for SSO;

setspn -A xmpp/pzms.issg.local@ISSG.LOCAL xmpp-openfire

ktpass -princ xmpp/pzms.issg.local@ISSG.LOCAL -mapuserxmpp-openfire@issg.local -pass * -ptype KRB5_NT_PRINCIPAL

Followed the notes here http://community.igniterealtime.org/docs/DOC-1060

KRB5.INI is in %windir% on client and server

Registry tweak applied on both

Strange thing is that this was working for me previously - and I’m not aware of changing anything - maybe moving to a new version of Spark?

When I configure the SSO tab on the client I can see the correct server name, but I get the following in the warn.log and no further

If anyone can help at all it’d be greatly appreciated

30-Aug-2011 12:02:27 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Clock skew too great (37)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 18 more

The clue is in the line:

GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37))]

Check that your Client, Openfire server and DC are ALL with 5 Minutes of each other…Ideally set the DC as a time server for the others to sync with (see MS KB’s for details)

Ah, my apologies, I thought all workstations were running a time sync, seems the test box I was using wasn’t - it is now, and I get the following in the log…

31-Aug-2011 08:35:01 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication GSSAPI failed: not-authorized:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 337)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

I did notice that in the gss.conf file I had the realm set to DOMAIN.LOCAL so have reset that and rebooted both server and workstation, but the above error persists…

After some fighting with the server/test workstation (server was a VM, and VMTools was synching the time back to the host!) and a couple of reboots it all seems to be working fine now!!!

Next job, get SSO working and automated on W7 boxes!

Thanks again