Ntlm on 3.6.4 with the 7.1 patch

James_Traynor · July 31, 2009, 1:26pm

Hi,

Been using Openfire 3.4.x on windows 2k3 for quite a while using ntlm sso with Norman’s patch with the Pandion client. Today decided it was about time to upgrade to 3.6.4. Upgrade went fine then went though the steps to reinstall the patch (7.1), trouble is it won’t accecpt ntlm logons. Plain logons work fine. The sasl plugin is shown as loaded but when ever a Pandion sso client attempts to logon I get .

Client wants to do a MECH we don't support: 'NTLM'
in the log

Pandion’s log shows

EVNT: Connecting to domain.com
SENT: <?xml version="1.0"?>
SENT: <stream:stream to="domain.com" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="667263cb" xml:lang="en" version="1.0">
RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required></required></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms></stream:features>
SENT: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"></proceed>
SENT: <stream:stream to="domain.com" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="667263cb" xml:lang="en" version="1.0">
RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"></auth></stream:features>
SENT: <compress xmlns="http://jabber.org/protocol/compress"><method>zlib</method></compress>
RECV: <compressed xmlns="http://jabber.org/protocol/compress"></compressed>
SENT: <stream:stream to="domain.com" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="667263cb" xml:lang="en" version="1.0">
RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms><auth xmlns="http://jabber.org/features/iq-auth"></auth></stream:features>
SENT: <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="NTLM">TlRMTVNTUAABAAACB7IIogMAAwAuAAAABgAGACgAAAAFAs4OAAAAD1JFTU9URUtDUw==</auth>
RECV: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized></not-authorized></failure>
SENT: </stream:stream>
RECV: </stream:stream>
EVNT: Disconnected
which implies the server is not advertising NTLM as one of the SASL mechanisms.
I have gone through all the steps again and made sure all the elements of the patch are installed. Any suggestions on where to look next? Thanks James

Norman_Rasmussen · July 31, 2009, 1:55pm

Did you make sure to reinstall the plugin with all it’s patches? (When you upgrade openfire it removes the patches you make to the java lib security policy)

James_Traynor · July 31, 2009, 2:01pm

Hi,

Yes added to the jre/lib/security/java.security file . dll is in the opefire/bin directory and sasl-sspi.jar is in the lib folder. the plugin is shown as loaded.

The only slight difference is now when you add items to the openfire.xml they get removed when openfire starts up and get placed in the database. System properties now shows:

sasl.mechs

ANONYMOUS,PLAIN,DIGEST-MD5,CRAM-MD5,NTLM

sasl.realm

KCS

where KCS is the ntlm domain

provider.authorization.classList

org.jivesoftware.openfire.sasl.StrictAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationPolicy

Thanks

James

Norman_Rasmussen · August 1, 2009, 5:32pm

It sounds like the plugin doesn’t work with 3.6 properly. I don’t have time to look at it, so if someone else can have a look, that would be great.

James_Traynor · August 3, 2009, 8:33am

Hi,

After a bit more playing it was the plugin as you suggested. I replaced the 3 occurences of getXMLProperty with getProperty and rebuilt it. Loaded it and it works fine so it looks like all the other elements of the patch are fine too. Enclosed is the working plugin and the source. It’s worth checking as my java knowledge is next to 0!

Thanks

James
saslmechanisms.jar (2021 Bytes)
SASLMechanismsPlugin.java.zip (853 Bytes)

Norman_Rasmussen · August 3, 2009, 12:47pm

Great, I have incorporated your changes into 7.2 and put it onto my website.

Many Thanks!

Alejandro_Angel1 · September 4, 2009, 7:41pm

Sorry about this question. how can i install those files? i have the same problem.

Norman_Rasmussen · September 9, 2009, 9:36am

Make sure you have the 7.2 version, and then just follow the install.txt file as before.