Openfire SSO

Hello,

I write this post as a last resort. Could not find solution.

Can’t force to work spark with sso.

I have Spark 2.6.3 on windows 7 pro, Openfire 3.8.2 on windows Server 2012.

Configured:

  1. setspn -A xmpp/server.domain.local@DOMAIN.LOCAL xmpp-openfire
  2. ktpass -princ xmpp/server.domain.local@DOMAIN.LOCAL -mapuser xmpp-openfire@domain.local -pass * -ptype KRB5_NT_PRINCIPAL
  3. ktab -k xmpp.keytab -a xmpp/server.domain.local@DOMAIN.LOCAL
    kinit -k -t xmpp.keytab xmpp/server.domain.local@DOMAIN.LOCAL p@ssword

I copied keytab to resources folder

  1. Throught web console System Properties:

provider.auth.className org.jivesoftware.openfire.ldap.LdapAuthProvider

provider.authorization.classList org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy

provider.group.className org.jivesoftware.openfire.ldap.LdapGroupProvider

provider.user.className org.jivesoftware.openfire.ldap.LdapUserProvider

provider.vcard.className org.jivesoftware.openfire.ldap.LdapVCardProvider

sasl.gssapi.config C:/Program Files (x86)/Openfire/conf/gss.conf

sasl.gssapi.debug true

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm DOMAIN.LOCAL

xmpp.auth.anonymous true

xmpp.domain server

xmpp.fqdn server.domain.local

xmpp.session.conflict-limit 0

xmpp.socket.ssl.active true

  1. GSS.conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files (x86)/Openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“DOMAIN.LOCAL”

principal=“xmpp/server.domain.local@DOMAIN.LOCAL”

debug=true;

};

  1. krb5.ini copied to server and client in windows

[libdefaults]

default_realm = DOMAIN.LOCAL

noaddresses = true

[realms]

DOMAIN.LOCAL = {

kdc = dc01.domain.local

default_domain = domain.local

}

[domain_realms]

invenire.local = DOMAIN.LOCAL

.invenire.local = DOMAIN.LOCAL

  1. Changed registry for both server and clients

  2. Also changed java encryption policies by changing files in jre/lib/security

In spark log I get this:

2013-08-13 16:46:49 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Fail to create credential. (63) - No service creds

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Here is a doc I wrote up a few months ago. Let me know if it helps or if you have any questions.

http://community.igniterealtime.org/docs/DOC-2585

Unfortunatley it didn’t work. I followed steps in tutorial and still get this:

2013-08-14 09:58:31 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Fail to create credential. (63) - No service creds

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

if UAC is enabled, try disabling it.

I solved it myself.

Openfire is now working on java 1.6.something, and Spark installation is on the same 1.6.

I replaced sparks java with newer version 1.7… and it works.