Hi All,
I would like to setup Openfire/SPARK with SSO and it doesn’t work for me. I spend more than 20 hours diagnosing problems. Some solved, but know I need help.
My Environment:
Windows Server 2012 as Domain Controller (openfiredc.mc.gov.pl)
Windows 10 system connected to domain with SPARK 2.8.0 as xmpp client
Debian Jessie 8.5 as Openfire server (openfire.mc.gov.pl)
root@openfire:/usr/local# java -version
java version “1.8.0_101”
Java™ SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot™ 64-Bit Server VM (build 25.101-b13, mixed mode)
All systems synchronized with NTP
Forward and Reverse DNS configured including _kerberos and _xmpp SRV records
I think I’ve done everything according to SSO Configuration
Openfire Configuration:
/etc/krb5.conf:
[libdefaults]
default_realm = MC.GOV.PL
[realms]
MC.GOV.PL = {
kdc = openfiredc.mc.gov.pl
admin_server = openfiredc.mc.gov.pl
default_domain = mc.gov.pl
}
[domain_realm]
.mc.gov.pl = MC.GOV.PL
Created XMPP SPN, mapping and keytab according to DOC-1060. Verification on Openfire server:
root@openfire:/usr/local# kinit -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfire.mc.gov.pl@MC.GOV.PL -V
Using default cache: /tmp/krb5cc_0
Using principal: xmpp/openfire.mc.gov.pl@MC.GOV.PL
Using keytab: /usr/share/openfire/resources/xmpp.keytab
Authenticated to Kerberos v5
gss.conf file:
root@openfire:/usr/local# cat /etc/openfire/gss.conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/usr/share/openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm=“MC.GOV.PL”
principal="xmpp/openfire.mc.gov.pl@MC.GOV.PL"
isInitiator=false
debug=true;
};
SASL configuration added to openfire.x
GSSAPI
true
/etc/openfire/gss.conf
false
SPARK client configuration:
Registry modified according to DOC-1060
SSO use krb5.ini
Problem Description:
SPARK starts xmpp conversation
stream:stream xmlns=‘jabber:client’ to=‘mc.gov.pl’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’ from=‘Administrator@mc.gov.pl’ xml:lang=‘en’>
Openfire Server answers:
<?xml version='1.0' encoding='UTF-8'?>stream:featuresGSSAPI</mechani sms>zlib</stream:features>
SPARK sends TGS-REQ for krbtgt@MC.GOV.PL (MC.GOV.PL) and receives ticket TGS-REP
SPARK sends TGS-REQ for xmpp@openfire.mc.gov.pl (MC.GOV.PL) and receives ticket TGS-REP
SPARK sends xmpp message to Openfire Server:
<stream:stream xmlns=‘jabber:client’ to=‘mc.gov.pl’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’ from=‘Administrator@mc.gov.pl’ xml:lang=‘en’>
YIIFRgYJKoZIhvcSAQICAQBuggU1MIIFMaADAgEFoQMCAQ6iBwMFACAAAACj ggRXYYIEUzCCBE+gAwIBBaELGwlNQy5HT1YuUEyiJTAjoAM
…
CAQChHDAaGwR4bXBwGxJvcGVuZmlyZS5tYy5nb3YucGyjggQSMIIEDqADAgEXoQMCAQWiggQABIID/MZ 6nikvfX9DDiF9hmxK1IiQEtFVQLvjRIBIiEY2W8BMjd24sVIbdig0fGAimw1diRuYvL6iX6caBrug==< /auth>
And this is the moment where Openfire has problem
Openfire sends answer to SPARK
<?xml version='1.0' encoding='UTF-8'?>GSSAPIzlibIn logs I can see only
2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 5
Queue : [MESSAGE_RECEIVED, ]
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 5
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 5
2016.09.17 21:03:02 INFO [socket_c2s-thread-3]: org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.ssl.SslFilter - Session Server5: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=77 cap=128: 3C 66 61 69 6C 75 72 65 20 78 6D 6C 6E 73 3D 22…]
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 5
2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 5
Queue : [MESSAGE_SENT, ]
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 5
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 5
Please Help, I have no idea what is wrong.
Regards Adam