Hello,
The history: Long time ago there was Openfire 3.9.3 server with SSO working like charm but decision was made to update it to 3.10. After that SSO stopped working even with rollback to 3.9.3, nothing helps. For some time we have to use manual login. After update to 3.10.3 SSO starts working again, to the last week when i have to restart server. It was simple restart, nothing changed but SSO stops again.
What I tried:
- update to 4.0.1
- reset AD account
- new keytab
- DNS tests
- Step by step How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2
Server: Windows Server 2008 R2, Openfire 4.0.1.
Clients: Windows 7-10 Pro, Miranda-NG (Spark only for tests)
Miranda log:
Openfire Info log:org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. GSS initiate failed
****Openfire Debug log:
org.apache.mina.filter.ssl.SslHandler - Unexpected exception from SSLEngine.closeInbound(). javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source) at org.apache.mina.filter.ssl.SslHandler.destroy(SslHandler.java:204) at org.apache.mina.filter.ssl.SslFilter.sessionClosed(SslFilter.java:439) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextSessionClosed(DefaultIoFilterChain.java:382) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$900(DefaultIoFilterChain.java:47) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.sessionClosed(DefaultIoFilterChain.java:750) at org.apache.mina.core.filterchain.IoFilterAdapter.sessionClosed(IoFilterAdapter.java:88) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextSessionClosed(DefaultIoFilterChain.java:382) at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireSessionClosed(DefaultIoFilterChain.java:375) at org.apache.mina.core.service.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:244) at org.apache.mina.core.polling.AbstractPollingIoProcessor.removeNow(AbstractPollingIoProcessor.java:600) at org.apache.mina.core.polling.AbstractPollingIoProcessor.removeSessions(AbstractPollingIoProcessor.java:560) at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$800(AbstractPollingIoProcessor.java:67) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1132) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
gss.conf
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
keyTab="C:/Program Files (x86)/Openfire/resources/jabber.keytab"
doNotPrompt=true
useKeyTab=true
isInitiator=false
debug=true
realm="DOMAIN.LOCAL
principal="xmpp/server.domain.local@DOMAIN.LOCAL";
};
openfire.xml
[...]
<!-- sasl configuration --> <sasl>
<!-- Set this to your Keberos realm name which is usually your AD domain name in all caps. -->
</sasl> <authorization>
<classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList>
</authorization>
krb5.ini
[libdefaults]
default_realm = DOMAIN.LOCAL
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
admin_server = dc.domain.local
default_domain = domain.local
}
[domain_realms]
domain.local = DOMAIN.LOCAL
.domain.local = DOMAIN.LOCAL