powered by Jive Software

Openfire SSO - Spark Crashing

I have a bit of a unique setup going. I manage the networks for multiple companies, and these networks are primarlily thin client based. Both are using Server 2003 64-bit. I have Openfire and Spark installed on one of the networks without SSO being enabled, but would like to implement SSO. The 2nd network I am working on bringing online with SSO from day one.

Here is the run down:

Openfire 3.6.2 installed on the SBS 2003 R2 Domain Controller backed by SQL 2005 Express

Spark 2.6.0 beta 2 with jre on a 2003 R2 Standard x64 server running as a terminal server

I followed the SSO tutorial found at http://www.igniterealtime.org/community/docs/DOC-1060 with one exception, because Spark crashes when you try to use the Advanced button, I used a spark.properties file (attached).

With all of the files in place, Spark will not start and I get a dump file (attached).

I have found that if I remove the krb5.ini (attached) file from the %userprofile%\Windows folders (remember, this is a terminal environment, it is not seen when it is in the C:\Windows folder)

Without the .ini file I get the “Unable to connect using Single Sign-On.” Message.
spark.properties (830 Bytes)
hs_err_pid2352.log (10865 Bytes)
krb5.ini (347 Bytes)

I have an sso setup and its working but I am not using a term server. I have a 2003 virtual machine that I just now for this test installed term server on with secured mode (instead of relaxed security) and installed my custom install. it worked as an admin but wouldn’t do anything for any other user. I added permissions on the Spark folder and now it works for ordinary users. I do have one big difference in my spark.properties file. I have the following lines (with my info removed):




give that a try and see if it helps.

Thanks for the suggestion. Gave it a shot, but got the same results. Remember, my terminal server x64.

does a x64 have any affect in this scenario besides a different jvm? I know the os will be a x64 build but i wouldn’t think that would make a difference.

Have you tried putting the krb5.ini in the c:\windows directory. I do not see why this would not work even in a TS server. The clients can see the screen savers and other such files in the windows directory. If this is not true please elaborate on why TS servers are different so I can learn something new.

when I setup my vm as a term server it had 2 default options for how to restrict users, I chose the most restrictive. when I installed my spark build I put the krb.ini in c:\windows\ and it works just fine.

When running in a multi-user environment like on a TS server, user specific settings (such as .ini files you would normally find in the c:\windows folder)

are kept in the %userprofile%\windows folder so users can have individual settings. While a user maybe able access screensavers, etc., in the windows

folder, some setting information is kept in profile folder.

The attached error log shows Spark looking in the %userprofile%\windows folder for the krb5.ini file. When this log was produced, the krb5.ini file was in

the c:\windows folder.

On a properly configured TS server this is true wether Permission Compatibility is set to relaxed or full. I have tested Spark with the server in both

full and relaxed permission compatbility with the same results.

Spark will not use the 64 bit jvm.dll file thus some of the limited capabilities when using Spark on a 64 bit OS.
error.log (2492 Bytes)

what if you put the krb.ini back in the %userprofile%\windows directory and make sure that user has permissions, and then use the changed I suggested in your spark.properties.

That is how it was configured last night when trying your suggestions. No go.



Still no love. I have boiled this down to:

OpenFire installed on a member 2003 Server connecting to the AD, called central

The AD server is zeus.

I have followed the SSO instructions mentioned above.

I have setup a generic XP workstation for testing, with the krb5.ini in the Windows directory.

When I launch Spark I get the following:

From OpenFire:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/zeus.tbnohio.local@TBNOHIO.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Identifier doesn’t match expected value (906)

From the Smack Debug:

Raw Sent:

<stream:stream to=“central.tbnohio.local” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“zeus.tbnohio.local” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
YIIFLwYJKoZIhvcSAQICAQBuggUeMIIFGqADAg EFoQMCAQ6iBwMFACAAAACjggRDYYIEPzCCBDugAwIBBaEPGw1UQk5PSElPLkxPQ0FMoigwJqADAgEAoR 8wHRsEeG1wcBsVY2VudHJhbC50Ym5vaGlvLmxvY2Fso4ID9zCCA/OgAwIBF6EDAgEHooID5QSCA+EVGu DTP0VmKGEnlPYCn8XWCgwtKCGEm34XYxxZFpiW2XOuHrzrWogKHfBJNbslS22Fn30rPuzk1m0Uvasr0t xZ5zkL3dubzoxpr3YWYvEFGcEOTb6nAjfVwWih+X6+I7epjF3UFtkHKulsGzJbjaf64w/5OT9/4+Wgq9 IyEjy5nYkgW8ZEsFHKlY894MDub5/Q5VnL6GhQKkpAeDcL9zW56PEevuEPnF7+WqB6yt2wruh9OS5Bsm 4aPiNUhs3Bx17h1+yCjds9AsDdIZEYs9VPqn6bxENALtMD/n4Xayi0BXI88e3N7LTlxGjaoxD8GAIcs5 BI/b+TuAKGrd94siEj7+CeqlhzxGtdZP9icMTuUT+Zui4P8Suw/IZYgivdttnPr+vyCYkqZVKYCi7Ldr vPd/+oJ5ad1GsOO/ODOo0MzM4mmqt66akApgKHp7qSLH6gH/pikIDfStv4KSYezpv+n5EWEyY2xTvvZR sYlQYNdtz54MdXbqxsFNBXf74a9AUh03Oed+JV6itbhpM0vvhkB+GGuqMnULCMk6mTFwn8qUVf1S3iHc KfKfr2fAdB4n4KXzQTRd1ZhZsEwUKaYmcIENdhceS228uFNcVmmFmuRSHWzV18UCiNpa/2s4z0iCmdg7 rLYPoSVwc5zblU1f8tvVYGw88WSvc6poXfmirH93x/lDN3BuzVbMjQAFmB/92YgECOiGD45AXgG6UeQR Lk3VEweQ1+4hkWSXDf0SHOP1fXqM3CEjEcVj6zZQUqTRwfhLK97YzrO+yGEw1vHu+lgrTT5nkbb01Xh3 AVy4SEw2pLKyub5c8UVfi1tA75y0+6nkte1810BQDVVrRUnAs43bmHjfOr1I/EsO1g5PgtKDtgbYEjI8 NeJenEhm1Smv8eYAnpBTJhysryiZfMBChn3NBUIDBFFt9M/X/p08Ygygjg71a7Y1MxRMfI1kHpe2MUUJ PGh/pw19sa0RvOIAPcdMed4sJf6Xc/PV17mkztvhOboCzNsDHY5p5O3zJp2tVJSdD8dMgHHep6jZrGW5 Z8DgMWKIOSTfhaNWNNOkyjDecHkl2/Ky3ol5/+GRFEhqD6FxZBiJXc8ZERmdqnQBFxIrH9nhS3zkSd2I yRRchmTUARHEcoFiH5Grjc9LXjqHwTnviGP3WamvB4SI4BFl0BeIvbMGkLwxnEnhqKoG2YrO6gSRo1we T27/sVDyOPUN6JzQrLOl1UVUfSH9vvQ1d3bwACD6mq3ZZMIV4YMnbYt6pe45pcHUNlAtPbrksFzyJni5 eSn3PH5CeOcgIySa7QRhXmTzOzYbasw6bqGmsBk02kgb0wgbqgAwIBF6KBsgSBr1IAFRoo9UA8gM/iIz uWE3aTKXv2GYOf/E/t7e7tRi5Dd8jByX2eBUxXyzzvx91UfAI48jtPe6LYk9W7x62XBioGn6igWusPQa KTxcTn1ZAiLp5DcdQFAFPrj7PEfJR9TxZgHFtvo1ppGEhdcOOg82l3L7Zv44wBvkDCgZF8LmyGpLEOXb twIINV/fs/TwiAUbA7ymi7RZCPbygLlxWM/ORN8ePU/iWy4Q5az8FlpXQ=

Raw Received:

<?xml version='1.0' encoding='UTF-8'?>

GSSAPI</mechani sms>zlib

<?xml version='1.0' encoding='UTF-8'?>

GSSAPI</mechani sms>zlib

What does it all mean?