powered by Jive Software

Openfire 4.2.3 and Spark - SSO with Windows 2012 R2

Hi, first time here…

So… I saw all the documentation posted by @speedy, tried them all, but my Spark clients still can’t connect.

Openfire is setup correctly, I can log in without SSO using LDAP. With SSO enabled I get the following error in Spark:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized
	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:365)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1052)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:956)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:971)
	at java.lang.Thread.run(Unknown Source)

The keytab is working, when I try:

PS C:\Program Files\Java\jre1.8.0_171\bin> .\klist.exe -c -k "C:\Program Files\Openfire\resources\xmpp.keytab"

It returns all 5 entries for the principle name.

Also:

PS C:\Program Files\Java\jre1.8.0_171\bin> .\kinit.exe -k -t "C:\Program Files\Openfire\resources\xmpp.keytab" XMPP/rede.uniforteam.com.br

Is working, opening tickets. I should point alt I already tried with the princple name being XMPP/chat.rede.uniforteam.com.br which is the FQDN of the server.

SRV and PTR records are pointing to the server, KRB and GSS files are setup properly given the amount of threads I read. Regedit key is also set.

I’m almost giving up on Openfire at this point.

did you see this video and the doc linked in it? I’m happy to look over your configuration with you if you like.

Hi!

Yep, I saw the video, tutorial for Windows 2008, 2012, and so on…

I’m attaching my gss.conf and krb5.ini files. This are the commands I used to set SPN and generate the current keytab:

>>>>>>Keytab

PS C:\Program Files\Java\jre1.8.0_171\bin> .\ktab.exe -k "C:\Program Files\Openfire\resources\xmpp.keytab" -a XMPP/chat.rede.uniforteam.com.br
Password for XMPP/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR:*****
Done!
Service key for XMPP/chat.rede.uniforteam.com.br is saved in C:\Program Files\Openfire\resources\xmpp.keytab

>>>>>>SPN

setspn -S XMPP/chat.rede.uniforteam.com.br xmpp-openfire

setspn -S XMPP/rede.uniforteam.com.br xmpp-openfire

setspn -S XMPP/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR xmpp-openfire

setspn -S XMPP/rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR xmpp-openfire

>>>>>>gss.conf

com.sun.security.jgss.accept {
	com.sun.security.auth.module.Krb5LoginModule
	required
	storeKey=true
	keyTab="C:\Program Files\Openfire\resources\xmpp.keytab"
	doNotPrompt=true
	useKeyTab=true
	isInitiator=false
	realm="REDE.UNIFORTEAM.COM.BR"
	principal="XMPP/rede.uniforteam.com.br"
	debug=true;
};

>>>>>> krb5.ini

[libdefaults]
	default_realm = REDE.UNIFORTEAM.COM.BR
	dns_lookup_realm = true
	dns_lookup_kdc = true

[realms]
	REDE.UNIFORTEAM.COM.BR = {
		kdc = cps-sv-dc02.rede.uniforteam.com.br
		admin_server = cps-sv-dc02.rede.uniforteam.com.br
		default_domain = rede.uniforteam.com.br
	}
[domain_realms]
	rede.uniforteam.com.br = REDE.UNIFORTEAM.COM.BR
	.rede.uniforteam.com.br = REDE.UNIFORTEAM.COM.BR

FQDN: chat.rede.uniforteam.com.br
DOMAIN: rede.uniforteam.com.br

  • Tested using KTPASS with -crypto all
  • I create a GPO with the Kerberos cryptography settings you instructed on the 28 Steps with Windows 2012 tutotial

do you have an openfire property called xmpp.fqdn? set this to chat.rede.uniforteam.com.br
then in your gss.con, update principal to xmpp/chat.rede…

let me know if that helps

Yep,

xmpp.fqdn = chat.rede.uniforteam.com.br

EDIT…

Just for sanity check I did the test, since I already used that config before, but yeah, same error.

have your tried recreating the keytab using the windows tool and not the java tool? Ive had problems with the java tool in the pass, which i why my docs suggest using the windows one. here is a sample of the command

ktpass -princ xmpp/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR -mapuser xmpp-openfire@REDE.UNIFORTEAM.COM.BR -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

Hi,

Yes, tried both KTPASS and KTAB, with principal names:

XMPP/chat.rede.uniforteam.com.br
XMPP/rede.uniforteam.com.br
XMPP/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR
XMPP/rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR
xmpp/chat.rede.uniforteam.com.br
xmpp/rede.uniforteam.com.br
xmpp/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR
xmpp/rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR

I’ve setup a CentOS VM and installing Openfire there to see if it will work on a *.NIX environment.

Okay… I’ve setup Openfire 4.2.3 on a CentOS 7.4 VM, used the bundled JRE, followed this:

The only part I didn’t follow was editing the Keytab since all principles there are the xmpp ones I need.

Same error on Spark:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized
	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:365)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1052)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:956)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:971)
	at java.lang.Thread.run(Unknown Source)

Another thread going silent…

SSO and Openfire are illusions, that’s what I’m getting, most thread either die off or people claim having the solution but don’t explain what they’ve done.

I have been able to get sso to work multiple times .i promise you, it is no myth. But your environment may be very different from the ones I have set up. I’m currently on vacation, and traveling so my availability is very limited until June 11. I’m happy to do a webex with you to see if I can at least see whats going on.

Hi Speedy,

It took me a long while to come around and have time for this again.

This is driving me crazy… It won’t work, maybe because of Windows 2012 level schema on Active Directory.

it should work fine. I should have some free time tomorrow to help you look at it.