Openfire/Spark strange login issues

We’ve been running OpenFire and Spark for years now with SSO working well. Recently we’re having some strange login issues. It seems randomly some users can’t login. I can restart the openfire service and ones that couldn’t login before may or may not be able to login. Same applies to people that were successfully logged in before. It’s almost like around 30 or so users can and then no others can. There’s only 50 or so users total. Here’s the stats:

Openfire 3.8.1 Alpha

Java Version:
1.6.0_18 Sun Microsystems Inc. – Java HotSpot™ Client VM
Appserver:
jetty/7.x.y-SNAPSHOT
OS / Hardware:
Windows Server 2008 R2 / x86
Java Memory
31.54 MB of 247.50 MB (12.7%) used

Client Connection Security

Optional - Clients may connect to the server using secured connections.

Required - Clients can only connect to the server using secured connections.

Custom - Advanced configuration

Server Connection Security

Optional - Connections between servers may use secured connections.

Required - Connections between servers always use secured connections.

Custom - Advanced configuration

Accept self-signed certificates. Server dialback over TLS is now available

Self signed certs are not expired

Spark Client 2.6.3

A snip from one machine that’s currently having the login issue, taken from their loacl profile spark warn.log

Aug 2, 2016 11:23:54 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Receive timed out)]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Receive timed out)]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Receive timed out)

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: java.net.SocketTimeoutException: Receive timed out

at java.net.PlainDatagramSocketImpl.receive0(Native Method)

at java.net.PlainDatagramSocketImpl.receive(Unknown Source)

at java.net.DatagramSocket.receive(Unknown Source)

at sun.security.krb5.internal.UDPClient.receive(Unknown Source)

at sun.security.krb5.KrbKdcReq$KdcCommunication.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.krb5.KrbKdcReq.send(Unknown Source)

at sun.security.krb5.KrbKdcReq.send(Unknown Source)

at sun.security.krb5.KrbKdcReq.send(Unknown Source)

at sun.security.krb5.KrbTgsReq.send(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Thoughts or ideas on what else to check?

Update:

I was able to replicate this on a workstation that wasn’t able to login. If I end task on spark.exe and start it again, it signs on right away. If I Exit the spark application and start it again, it won’t sign-on. If I then end task on spark and open it again, it’ll sign on. If I select logoff instead of exit, it will sign on again right away without ending the spark task. So it’s like on exit it’s not sending a close session or something to the server? For now I can have users end task to get it working but that’s obviously not the correct solution. What should I be checking.

Update:

I updated a client to 2.7.7 Build 810 and the problem appears to be resolved.

Thanks for the help everyone

you might want to look into updating your OF server as well. you’re running a pretty old version, not to mention java 6 has been EOL for a while!