Openfire+spark SSO problem

Hello. I’m having trouble with sso kerberos authentication. Openfire server hosted on Ubuntu 12.04 LTS, DC - WinServer 2008 R2. Clients have WinXP or Win7.

When i’m trying to login from WinXP i get error:

GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]

From Win7:

GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Illegal key size)]

Any help with this problem would be appreciated?

krb5.ini

[libdefaults]
    default_realm = MIS.PNCENTER.RU
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]
    MIS.PNCENTER.RU = {
        kdc = mis.pncenter.ru
        admin_server = mis.pncenter.ru
        default_domain = MIS.PNCENTER.RU
    }
[domain_realm]
    .mis.pncenter.ru = MIS.PNCENTER.RU
    mis.pncenter.ru = MIS.PNCENTER.RU

gss.conf

com.sun.security.jgss.accept {
        com.sun.security.auth.module.Krb5LoginModule
        required
        storeKey=true
        keyTab="/usr/share/openfire/resources/xmpp.keytab"
        doNotPrompt=true
        useKeyTab=true
        realm="MIS.PNCENTER.RU"
        principal="xmpp/openfire.mis.pncenter.ru@MIS.PNCENTER.RU"
        debug=true
        isInitiator=false;
};

krb5.conf

[libdefaults]
        default_realm = MIS.PNCENTER.RU
        kdc_timesync = 1
        forwardable = true
        proxiable = true
        default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
        default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
        permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [realms]
        MIS.PNCENTER.RU = {
                kdc=orionserver.mis.pncenter.ru
                admin_server=orionserver.mis.pncenter.ru
                default_domain=mis.pncenter.ru
        } [domain_realm]         mis.pncenter.ru = MIS.PNCENTER.RU
        .mis.pncenter.ru = MIS.PNCENTER.RU

problem is still actual

Is this problem so serious that noone can help me to solve it? Otherwise why there is no any answer in thread within almost 1 week?

hey…here is a doc I wrote up a while ago. Hope it helps

http://community.igniterealtime.org/docs/DOC-2585

Thanks, but is there any chance to make this work when openfire is on linux machine.

it should be pretty much the same processes. Paths of course will be a little different…

1 Like

Any ideas on what this error means>?

Closing connection due to error while processing message:

I get this on the openfire server error log when trying sso from a win 7 client.

https://drive.google.com/file/d/0BwG5UzfMZQHjR1pJaEVnOW0xd0U/edit?usp=sharing

A link to my documentation I used to get SSO working. Comments please.

Is there any suggestions why this exception happens when i try to SSO login.

02.04.2014 11:35:00 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Advice: Check everything over in detail for incorrect paths and typo errors. When I first tried SSO, I had an incorrect file path in the openfire.xml which caused a similar erro as above! Once spotted and fixed SSO worked seamlessly.

Check the path of your gss.conf in your openfire.xml in C:\Program Files\Openfire\conf\

Make sure it is as: C:/Program Files/Openfire/conf.gss.conf

Hi! Not working for me. And there is the question to connect to the AD account used xmpp-openfire or some other?

You can use any account to connect to AD. I would recommend not using the xmpp-openfire. In my lab i used the default domain administrator. But it only needs to be a user with read rights.

When I add record to hosts file, SSO starts working. Problem seems to be in DNS records. Could you please describe all DNS records, you added to get SSO working?

I have this situation: openfire installed on win2008r2, connects to AD using my account. From the console domain user accounts I see. All set up using your instructions, but Spark SSO to connect to does not want to, but if a password manually - it works.

DNS config is as per my documentation.

After run Spark I have change file openfire.xml in section

NEM.GROUPHMS.LOCAL

but befor runing Spark has the view

GSSAPI

NEM.GROUPHMS.LOCAL

true

C:/Program Files/Openfire/conf/gss.conf

false

I’m going crazy?

Павел, у Вас получилось? Я уже не знаю куда копать. 3-й день все пытаюсь настроить, и никак…

This is normal. The server absorbs the config. What I did, before starting the service make a copy of the xml for future reference.

Do you have:

org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy

in the xml also?

Да, теперь вроде бы работает.

I removed A and PTR record for xmpp/openfire from DNS. SSO seems to be working now without hosts file edited.