powered by Jive Software

Openfire 4.2.3 and Spark - SSO with Windows 2012 R2

sasl

#1

Hi, first time here…

So… I saw all the documentation posted by @speedy, tried them all, but my Spark clients still can’t connect.

Openfire is setup correctly, I can log in without SSO using LDAP. With SSO enabled I get the following error in Spark:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized
	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:365)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1052)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:956)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:971)
	at java.lang.Thread.run(Unknown Source)

The keytab is working, when I try:

PS C:\Program Files\Java\jre1.8.0_171\bin> .\klist.exe -c -k "C:\Program Files\Openfire\resources\xmpp.keytab"

It returns all 5 entries for the principle name.

Also:

PS C:\Program Files\Java\jre1.8.0_171\bin> .\kinit.exe -k -t "C:\Program Files\Openfire\resources\xmpp.keytab" XMPP/rede.uniforteam.com.br

Is working, opening tickets. I should point alt I already tried with the princple name being XMPP/chat.rede.uniforteam.com.br which is the FQDN of the server.

SRV and PTR records are pointing to the server, KRB and GSS files are setup properly given the amount of threads I read. Regedit key is also set.

I’m almost giving up on Openfire at this point.


#2

did you see this video and the doc linked in it? I’m happy to look over your configuration with you if you like.


#3

Hi!

Yep, I saw the video, tutorial for Windows 2008, 2012, and so on…

I’m attaching my gss.conf and krb5.ini files. This are the commands I used to set SPN and generate the current keytab:

>>>>>>Keytab

PS C:\Program Files\Java\jre1.8.0_171\bin> .\ktab.exe -k "C:\Program Files\Openfire\resources\xmpp.keytab" -a XMPP/chat.rede.uniforteam.com.br
Password for XMPP/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR:*****
Done!
Service key for XMPP/chat.rede.uniforteam.com.br is saved in C:\Program Files\Openfire\resources\xmpp.keytab

>>>>>>SPN

setspn -S XMPP/chat.rede.uniforteam.com.br xmpp-openfire

setspn -S XMPP/rede.uniforteam.com.br xmpp-openfire

setspn -S XMPP/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR xmpp-openfire

setspn -S XMPP/rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR xmpp-openfire

>>>>>>gss.conf

com.sun.security.jgss.accept {
	com.sun.security.auth.module.Krb5LoginModule
	required
	storeKey=true
	keyTab="C:\Program Files\Openfire\resources\xmpp.keytab"
	doNotPrompt=true
	useKeyTab=true
	isInitiator=false
	realm="REDE.UNIFORTEAM.COM.BR"
	principal="XMPP/rede.uniforteam.com.br"
	debug=true;
};

>>>>>> krb5.ini

[libdefaults]
	default_realm = REDE.UNIFORTEAM.COM.BR
	dns_lookup_realm = true
	dns_lookup_kdc = true

[realms]
	REDE.UNIFORTEAM.COM.BR = {
		kdc = cps-sv-dc02.rede.uniforteam.com.br
		admin_server = cps-sv-dc02.rede.uniforteam.com.br
		default_domain = rede.uniforteam.com.br
	}
[domain_realms]
	rede.uniforteam.com.br = REDE.UNIFORTEAM.COM.BR
	.rede.uniforteam.com.br = REDE.UNIFORTEAM.COM.BR

FQDN: chat.rede.uniforteam.com.br
DOMAIN: rede.uniforteam.com.br

  • Tested using KTPASS with -crypto all
  • I create a GPO with the Kerberos cryptography settings you instructed on the 28 Steps with Windows 2012 tutotial

#4

do you have an openfire property called xmpp.fqdn? set this to chat.rede.uniforteam.com.br
then in your gss.con, update principal to xmpp/chat.rede…

let me know if that helps


#5

Yep,

xmpp.fqdn = chat.rede.uniforteam.com.br

EDIT…

Just for sanity check I did the test, since I already used that config before, but yeah, same error.


#6

have your tried recreating the keytab using the windows tool and not the java tool? Ive had problems with the java tool in the pass, which i why my docs suggest using the windows one. here is a sample of the command

ktpass -princ xmpp/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR -mapuser xmpp-openfire@REDE.UNIFORTEAM.COM.BR -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab


#7

Hi,

Yes, tried both KTPASS and KTAB, with principal names:

XMPP/chat.rede.uniforteam.com.br
XMPP/rede.uniforteam.com.br
XMPP/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR
XMPP/rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR
xmpp/chat.rede.uniforteam.com.br
xmpp/rede.uniforteam.com.br
xmpp/chat.rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR
xmpp/rede.uniforteam.com.br@REDE.UNIFORTEAM.COM.BR

I’ve setup a CentOS VM and installing Openfire there to see if it will work on a *.NIX environment.


#8

Okay… I’ve setup Openfire 4.2.3 on a CentOS 7.4 VM, used the bundled JRE, followed this:

The only part I didn’t follow was editing the Keytab since all principles there are the xmpp ones I need.

Same error on Spark:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized
	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:365)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1052)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:956)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:971)
	at java.lang.Thread.run(Unknown Source)

#9

Another thread going silent…

SSO and Openfire are illusions, that’s what I’m getting, most thread either die off or people claim having the solution but don’t explain what they’ve done.


#10

I have been able to get sso to work multiple times .i promise you, it is no myth. But your environment may be very different from the ones I have set up. I’m currently on vacation, and traveling so my availability is very limited until June 11. I’m happy to do a webex with you to see if I can at least see whats going on.


#11

Hi Speedy,

It took me a long while to come around and have time for this again.

This is driving me crazy… It won’t work, maybe because of Windows 2012 level schema on Active Directory.


#12

it should work fine. I should have some free time tomorrow to help you look at it.