hello. i discovered all the themes in this site about SSO but still nothing help me. right now i have error SASLERROR using GSSAPI: not authorized
my server is redhat based distro
clients right now windows 10
i tried run spark with admin rights, its not helping
registry AllowTGTSessionkey DWORD = 1 is done
kinit -V -k -t keytabfile.keytab xmpp/domain.domain@DOMAIN succesffully authenticate me
i rebooted client and server many times
properties in admin panel is like this
sasl.gssapi.config /usr/share/openfire/conf/gss.conf
sasl.gssapi.debug true
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm DOMAIN
sso enabled in setting and i picked use dns
which should be encryption mode? enabled or disabled? cuz in each mode errors not the same
well i did setting from scrtch and now i have this
spark log
dec 25, 2024 3:34:41 PM org.jivesoftware.spark.util.log.Log error
SEVERE: Exception in Login:
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized
at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:286)
at org.jivesoftware.smack.AbstractXMPPConnection.lambda$new$2(AbstractXMPPConnection.java:407)
at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.accept(NonzaCallback.java:177)
at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.access$200(NonzaCallback.java:166)
at org.jivesoftware.smack.NonzaCallback.onNonzaReceived(NonzaCallback.java:46)
at org.jivesoftware.smack.AbstractXMPPConnection.parseAndProcessNonza(AbstractXMPPConnection.java:1440)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1700(XMPPTCPConnection.java:131)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1010)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:916)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:939)
at java.lang.Thread.run(Unknown Source)
java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 12: expected [controlFlag]
at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:139) ~[?:?]
at sun.security.provider.ConfigFile.(ConfigFile.java:104) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.ReflectAccess.newInstance(ReflectAccess.java:128) ~[?:?]
at jdk.internal.reflect.ReflectionFactory.newInstance(ReflectionFactory.java:347) ~[?:?]
at java.lang.Class.newInstance(Class.java:645) ~[?:?]
at javax.security.auth.login.Configuration$2.run(Configuration.java:258) ~[?:?]
at javax.security.auth.login.Configuration$2.run(Configuration.java:249) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?]
at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:248) ~[?:?]
at sun.security.jgss.LoginConfigImpl$1.run(LoginConfigImpl.java:77) ~[java.security.jgss:?]
at sun.security.jgss.LoginConfigImpl$1.run(LoginConfigImpl.java:75) ~[java.security.jgss:?]
at java.security.AccessController.doPrivileged(AccessController.java:318) ~[?:?]
at sun.security.jgss.LoginConfigImpl.(LoginConfigImpl.java:75) ~[java.security.jgss:?]
at sun.security.jgss.GSSUtil.login(GSSUtil.java:249) ~[java.security.jgss:?]
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:123) ~[java.security.jgss:?]
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:75) ~[java.security.jgss:?]
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:73) ~[java.security.jgss:?]
at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?]
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:72) ~[java.security.jgss:?]
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:133) ~[java.security.jgss:?]
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:174) ~[java.security.jgss:?]
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:439) ~[java.security.jgss:?]
at sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:74) ~[java.security.jgss:?]
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:135) ~[java.security.jgss:?]
at com.sun.security.sasl.gsskerb.GssKrb5Server.(GssKrb5Server.java:110) ~[jdk.security.jgss:?]
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) ~[jdk.security.jgss:?]
at javax.security.sasl.Sasl.createSaslServer(Sasl.java:581) ~[?:?]
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:310) [xmppserver-4.7.5.jar:4.7.5]
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:182) [xmppserver-4.7.5.jar:4.7.5]
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:183) [xmppserver-4.7.5.jar:4.7.5]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1015) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:413) [mina-core-2.1.3.jar:?]
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:257) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:106) [mina-core-2.1.3.jar:?]
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:89) [mina-core-2.1.3.jar:?]
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:766) [mina-core-2.1.3.jar:?]
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:758) [mina-core-2.1.3.jar:?]
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:697) [mina-core-2.1.3.jar:?]
at java.lang.Thread.run(Thread.java:840) [?:?]
Caused by: java.io.IOException: Configuration Error:
Line 12: expected [controlFlag]
at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:669) ~[?:?]
at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:575) ~[?:?]
at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:457) ~[?:?]
at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:430) ~[?:?]
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:332) ~[?:?]
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:274) ~[?:?]
at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) ~[?:?]
already looked, also looked a lot of themes on this forum. none of them worked. error the same
tested also with prosody and ejabberd . only ejabberd+spark working as needed right now…
also i didnt mentioned it , but openfire is on linux rhel based server. do anybody successully get sso working on this? ldap based auth working , but not sso. in one theme here i saw that i need " Java version no higher than Java 8 update 221 and Java 11.0.4. in latest java versions my SSO doesn’t work"
installed older version of java but this doesnt help
This should work on linux without issue. I’ve accomplished this task as well. My day job has keep me insanely busy, but DM me we’ll see if we can’t work something out.
case sensitive matters. check your principal in your gss.conf file to make sure its correct.
Also make sure you don’t have any duplicate spn, as this will cause issues. you’ll want to delete duplicates.
setspn -X should return duplicates if they are found.
you can also use setspn -Q / to list all your spn in AD
