Openfire + Spark SSO issues

Openfire Openfire Support
1

Hello all, I know this is a question that has been presented a million times over, but I can’t make any sense as to why my setup is not working.

KDC is a 2008 enterprise server

Openfire server is running on a repurposed Win7 machine.

I followed the guide found here:

https://community.igniterealtime.org/docs/DOC-2706

Initially, I set up the openfire on the same server as the KDC. Using the link above, I was able to get SSO working properly for windows 7 pc’s. I did however, have issues with the AD binding, so I decided it would be better to run openfire from a different machine instead of the AD Server itself. I did a complete uninstall of Openfire from the server, and reinstalled on the windows 7 machine. I went back through setting up SSO with the guide above. And now I cannot connect, and I receive the general error of “check principal or server name.” Looking at the error log, it looks like it cannot find my krb5.ini file; I verified that the file is in place, but the same error persists.

So far in testing I have verified that the GSSAPI settings were present in my openfire server properties, and added the xmpp.fqdn property and set it to the the FQDN of the openfire server.

I can connect to the openfire server without SSO.

I am running Openfire 3.9.3 with Spark 2.6.3.

Thanks in advance for assisting!

javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\Windows\krb5.ini (The system cannot find the file specified))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(Unknown Source)

at javax.security.sasl.Sasl.createSaslClient(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:85)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\Windows\krb5.ini (The system cannot find the file specified))

at sun.security.jgss.krb5.Krb5NameElement.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getNameElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.getElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.init(Unknown Source)

at sun.security.jgss.GSSNameImpl.(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)

… 11 more

Jun 3, 2014 11:26:58 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:109)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 362)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

UPDATE

I realized that I had not placed the krb5.ini on my openfire server in the right location. Resolved that issue. now my error logs are stating the the server is not found in kerberos database (7)

Jun 3, 2014 12:10:04 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 18 more

1 Like
2

the issue is likely your keytab file and spn mapping. You’ll need to remove the old mappings and recreate with the new server. Then recreate your keytab file.

3

Thanks for the help speedy!

I have gone back in to my KDC, created a new user in AD, and used that user to set SPN and generate a new keytab file.

I copied the new keytab from KDC to openfire server and placed in \resources.

I am still not able to use SSO, and looks like it’s the same error message as before.

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

4

whats your kinit output when you test it against your keytab file?

5

ok, so there’s a good chance that I did not run this command correctly; I can’t figure out how to specify the path of the keytab file. Also, should I be running this from the KDC? I didn’t have JRE installed on the server.

C:\Program Files (x86)\Openfire\jre\bin>kinit.exe shane.raymond@SAFINA.COM -k -t

xmpp.keytab

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes

available; only have keys of following type: No error

KrbException: Do not have keys of types listed in default_tkt_enctypes available

; only have keys of following type:

at sun.security.krb5.internal.crypto.EType.getDefaults(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)

at sun.security.krb5.internal.tools.Kinit.(Unknown Source)

at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

6

you can copy the keytab file into openfire\jre\bin and then run kinit from there

kinit -k -t xmpp.keytab xmpp/servername@DOMAIN.LOCAL password

password being the account password used for creating the keytab file

7

Thanks for the syntax help!

I copied the *.keytab file into \bin, and ran kinit against it, using the pw of the xmpp service account I created. there was no output to the screen, it just returned line to wait for a new command.

C:\Program Files (x86)\Openfire\jre\bin>kinit -k -t xmpp.keytab xmpp/server.DOMAIN.LOCAL password

C:\Program Files (x86)\Openfire\jre\bin>

In the meantime, I had also run kinit from my client pc:

kinit user.name@DOMAIN.LOCAL

after prompting for my password, it creates a ticket, stores it in cache, and I am able to use SSO with Spark. I tested with a reboot on the client pc, and I am still using SSO successfully. From my limited knowledge of Kerberos, I feel like that ticket will expire, and I would have to rinse / repeat on all of my client machines.

8

no output is good thing! sounds like your keytab file is good.

another issue could be UAC. If you are signed in as an admin, you’ll need to disable uac for sso to work with win7. with win8, you’ll have to run spark with the “run as administror”.

9

Awesome! glad to know the keytab is ok then.

I just went to check UAC settings, and it was already been disabled on my client PC (win7), so the error wasn’t coming from there. Am I correct in thinking that the ticket created by running kinit at the client with my user will expire?

10

it should renew…but if you want to test, you can clear your ticket cache

KList purge

Then try sso again to see if you are issued a new ticket.

11

I ran klist purge, and tried sso again. Spark logs in successfully, but when I run klist to see if I have any cached tickets, it says that there are no tickets cached. I am not sure if that is normal. I’m just confused; if I don’t have a ticket cached that spark generated, how did it just SSO to the server?

12

Another Day, A new set of errors.

I have two pc’s now that are still unable to connect through SSO (I believe that the issue lies in preexisting problems with the PC), they are getting the “Server not found in Kerberos Database” error.

On my test PC (That was working yesterday) I am now getting a “GSS Initiate fail”

I pulled the keytab file over to my client pc to test against it, and it passes with no issues.

I also read that in another thread that it might be a permissions issue on the krb5.ini file, so I have given everyone read & execute permissions, still no dice.

Jun 4, 2014 9:14:50 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

13

whats your krb5.ini file look like? Mine is pretty simple. Keep in mind its case sensitive

[libdefaults]

default_realm = DOMAIN.LOCAL

[realms]

DOMAIN.LOCAL = {

kdc = dcserv1.domain.local

kdc = dcserv2.domain.local

admin_server = dcserv1.domain.local

default_domain = domain.local

}

[domain_realms]

domain.local = DOMAIN.LOCAL

.domain.local = DOMAIN.LOCAL

14

Mine is identical, except that it has a few lines setting encryption types:

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

I deleted those from the .ini files on the client and on the server.

Now, when I try to get spark to use SSO, it states that it will attempt its login using xmpp/fqdn.of.openfireServer@DOMAIN.LOCAL to login.

The only thing that I can think of is that when I tested my keytab file from the client side that I did something inside of kerberos to screw it up. Otherwise, I am at a complete loss as to why Spark does not want to use my username. My knowledge of Kerberos is limited.

UPDATE

I was able to get spark to recognize the current user. I ended up running

kinit user@DOMAIN.LOCAL

to make spark change back to seeing my user.

Once I ran that, I am again able to SSO in the environment.

15

are you having any issues with other workstations?

16

Yes. I have two machines (one win7, one win8) that are both getting the cannot find server in kerberos database (7) error. But, they are also having a weird issue with their NIC driver, so it’s possible that the culprit could be in how those packets are getting handled. As it stands, I have two users that came in this morning and on a clean boot SSO without issues with spark. My test machine was not a clean boot (hibernated and then resumed session) so I’m sure that probably threw a wrench in the works.

17

So, it has been a while, and I am just now getting back around to having the time to test this again.

I have two machines in my network environment (one laptop, one desktop, both WIN7) that are able to sign in via SSO.

I have three other machines that it fails on. Every time. I have the same krb5.ini file copied to each location. I have UAC disabled on each workstation. I deleted the local cached profile from my test machine and reloaded the user folders. I have even gone as far as to recreate the keytab file with both Java and windows again. Neither allow me to SSO from my test machine, and I don’t see a difference between my test PC and the user’s PC that SSO is working on.

I have also doublechecked there were no duplicate entries in SPN using setspn -f xmpp/servername.domain.com@DOMAIN.COM

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

in the output file, it looks to me as if everything should be working normally…

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is user@DOMAIN.COM

Commit Succeeded

I truly don’t understand how this is working for two machines and not for three.

18

I wanted to see if there was any progress on this post? I am following Speedy’s guide and I am having the same exact issue with my SSO implementation. However, I cannot get any of the clients to authenticate at all. I verified my keytab like in this post.

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

19

I fixed my error by running setxpn -X and I had found duplicate SPNs for my XMPP server.

Now I am getting a new error , I have turned on Kereberos logging on the domain controller, and I can see a new error on the spark client:

SASL authentication GSSAPI failed: not-authorized:

And new error on the DC:

0xd KDC ERR_BADOPTION

20

Fixed this issue. for some reason it wanted my xmpp.keytab in the following folder c:/program files/Openfire/resources while my openfire install was in C:\program files (x86)\Open Fire\resources . Once I created the folders and moved the keytab file to C:\program files (x86)\Open Fire\resources it started working.