Problem in using the SSO with Windows 2012R2(AD) and Spark

Spark Spark Support
1

Hello, People,

Do you fine?

I need to perform Spark setup to automatically log into Windows AD SSO. I followed this tutorial:

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

But so far failed to success in the log spark am with this error:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

In another version of Spark I tested was the following:

WARNING: Exception in Login: org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized

The registration of the windows has been changed to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

allowtgtsessionkey REG_DWord 1

To generate the settings in AD User:

setspn -A xmpp/ServerOpenfire.dominio.com.br@DOMINIO.COM.BR openfireconnect

ktpass -princ xmpp/ServerOpenfire.dominio.com.br@DOMINIO.COM.BR -mapuser openfireconnect@dominio.com.br -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.openfireconnect

The krb5.ini file is in c:\windows\krb5.ini with the following script:

[libdefaults]

default_realm = DOMINIO.COM.BR

[realms]

DOMINIO.COM.BR = {

kdc = dc1.dominio.com.br

kdc = dc2.dominio.com.br

admin_server = dc1.dominio.com.br

default_domain = dominio.com.br

}

[domain_realms]

dominio.com.br = DOMINIO.COM.BR

.dominio.com.br = DOMINIO.COM.BR

Using the “MIT Kerberos Ticket Manager” tool presents the following ticket line kerberos:

xmpp/ServerOpenfire.dominio.com.br@DOMINIO.COM.BR

I am running Spark on the Openfire server itself.

Connecting directly by username and password is working normally.

Utilized versions

Openfire 4.0.2.

Spark 2.7.7.862 (Nightly Builds) , But I’ve tried with the stable version and also was not.

Smack: 4.1.8 (4.1.7-7-ga87007f 2016-07-30)

I hope to count on your help to solve the problem of not being able to connect via SSO with Openfire via AD.

2

I suggest using 2.7.7 official version of Spark. Current nightly builds are not stable and has lots of issues. One of them https://issues.igniterealtime.org/browse/SPARK-1740

3

I used today the 2.7.7 version and is attached the file warn spark log. And also the krb5.ini file used. And MIT Kerberos Ticket Manager screen showing that XMPP is mounted. I hope it’s this way.

Is it any setting in Openfire that this trouble?

spark.pngspark-login.png

File krb5.ini:

[libdefaults]

default_realm = TOO.DOMINIO.COM.BR

[realms]

TOO.DOMINIO.COM.BR = {

kdc = corona-a.too.dominio.com.br

kdc = corona-b.too.dominio.com.br

admin_server = corona-a.too.dominio.com.br

default_domain = too.dominio.com.br

}

[domain_realms]

too.dominio.com.br = TOO.DOMINIO.COM.BR

.too.dominio.com.br = TOO.DOMINIO.COM.BR

Warn file:

ago 15, 2016 3:11:11 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

java.lang.reflect.InvocationTargetException

at java.awt.EventQueue.invokeAndWait(Unknown Source)

at java.awt.EventQueue.invokeAndWait(Unknown Source)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1103)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:362)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:900)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: java.lang.IllegalArgumentException: Can’t initialize the configured debugger!

at org.jivesoftware.smack.Connection.initDebugger(Connection.java:792)

at org.jivesoftware.smack.XMPPConnection.initReaderAndWriter(XMPPConnection.java:7 42)

at org.jivesoftware.smack.XMPPConnection.initConnection(XMPPConnection.java:619)

at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection. java:604)

at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1022)

at org.jivesoftware.LoginDialog$LoginPanel$5.run(LoginDialog.java:1108)

at java.awt.event.InvocationEvent.dispatch(Unknown Source)

at java.awt.EventQueue.dispatchEventImpl(Unknown Source)

at java.awt.EventQueue.access$500(Unknown Source)

at java.awt.EventQueue$3.run(Unknown Source)

at java.awt.EventQueue$3.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(U nknown Source)

at java.awt.EventQueue.dispatchEvent(Unknown Source)

at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)

at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)

at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)

at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

at java.awt.EventDispatchThread.run(Unknown Source)

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at org.jivesoftware.smack.Connection.initDebugger(Connection.java:787)

… 19 more

Caused by: java.lang.IncompatibleClassChangeError: class org.jivesoftware.phone.client.action.PhoneActionIQProvider has interface org.jivesoftware.smack.provider.IQProvider as super class

at java.lang.ClassLoader.defineClass1(Native Method)

at java.lang.ClassLoader.defineClass(Unknown Source)

at java.security.SecureClassLoader.defineClass(Unknown Source)

at java.net.URLClassLoader.defineClass(Unknown Source)

at java.net.URLClassLoader.access$100(Unknown Source)

at java.net.URLClassLoader$1.run(Unknown Source)

at java.net.URLClassLoader$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.net.URLClassLoader.findClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at java.lang.Class.forName0(Native Method)

at java.lang.Class.forName(Unknown Source)

at org.jivesoftware.smack.provider.ProviderManager.initialize(ProviderManager.java :193)

at org.jivesoftware.smack.provider.ProviderManager.(ProviderManager.java:436 )

at org.jivesoftware.smack.provider.ProviderManager.getInstance(ProviderManager.jav a:134)

at org.jivesoftware.smackx.debugger.EnhancedDebuggerWindow.createDebug(EnhancedDeb uggerWindow.java:227)

at org.jivesoftware.smackx.debugger.EnhancedDebuggerWindow.showNewDebugger(Enhance dDebuggerWindow.java:125)

at org.jivesoftware.smackx.debugger.EnhancedDebuggerWindow.addDebugger(EnhancedDeb uggerWindow.java:115)

at org.jivesoftware.smackx.debugger.EnhancedDebugger.(EnhancedDebugger.java: 148)

… 24 more

ago 15, 2016 3:11:22 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1138)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:362)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:900)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1138)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:362)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:900)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 19 more

4

the issue is likely in your keytab files. try recreating your keytab file.

5

After I ran this command, I can not connect to the web console, it has something to see?

ktpass -princ xmpp/talk2.too.dominio.com.br@TOO.DOMINIO.COM.BR -mapuser openfireconnect@too.dominio.com.br -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.openfireconnect

I checked the database and users login tested are included in this parameter “admin.authorizedJIDs”. But still occurs this message “Login failed: make sure your username and password are correct and that you’re an admin or moderator.”

Best re-configure the setup of openfire? Or have a way to only update this parameter “ldap.adminPassword”?

Note: I’m using the same password, I have not changed the password in User openfireconnect in AD.

C:>ktpass -princ xmpp/talk2.too.dominio.com.br@TOO.DOMINIO.COM.BR -mapuser

openfireconnect@too.dominio.com.br -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -o

ut xmpp.openfireconnect

Targeting domain controller: CORONA-A.too.dominio.com.br

Successfully mapped xmpp/talk2.too.dominio.com.br to openfireconnect.

Type the password for xmpp/talk2.too.dominio.com.br:

Type the password again to confirm:

Password successfully set!

Key created.

Key created.

Key created.

Key created.

Key created.

Output keytab to xmpp.openfireconnect:

Keytab version: 0x502

keysize 71 xmpp/talk2.too.dominio.com.br@TOO.DOMINIO.COM.BR ptype 1 (KRB5_NT_PRINCIP

AL) vno 9 etype 0x1 (DES-CBC-CRC) keylength 8 (0x32c88567b5a798b9)

keysize 71 xmpp/talk2.too.dominio.com.br@TOO.DOMINIO.COM.BR ptype 1 (KRB5_NT_PRINCIP

AL) vno 9 etype 0x3 (DES-CBC-MD5) keylength 8 (0x32c88567b5a798b9)

keysize 79 xmpp/talk2.too.dominio.com.br@TOO.DOMINIO.COM.BR ptype 1 (KRB5_NT_PRINCIP

AL) vno 9 etype 0x17 (RC4-HMAC) keylength 16 (0x344adfd8dfc664c67e9ae970d4dffabd)

keysize 95 xmpp/talk2.too.dominio.com.br@TOO.DOMINIO.COM.BR ptype 1 (KRB5_NT_PRINCIP

AL) vno 9 etype 0x12 (AES256-SHA1) keylength 32 (0x923be905266f1f0c11981a1738b010ecfd3b498ee894aaa23cf3a8da6e850d59)

keysize 79 xmpp/talk2.too.dominio.com.br@TOO.DOMINIO.COM.BR ptype 1 (KRB5_NT_PRINCIP

AL) vno 9 etype 0x11 (AES128-SHA1) keylength 16 (0xc63fe72b26578970dc2242ec9c095341)

C:>

6

I’m redoing the Openfire setup configuration. After running this command:
ktpass -princ xmpp/talk2.too.dominio.com.br@TOO.DOMINIO.COM.BR -mapuser openfireconnect@too.dominio.com.br -crypto all-pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.openfireconnect

I can no longer log into the account. Even using the same password you entered when prompted by the command above.

If redo the password in AD User, I can log in again as the image attached. But this is the correct procedure?

ConfigOpenfireSetup.png

My user account of Openfire in AD:

OpenfireUserAD.png

What am I doing wrong?

7

you should use two different accounts. 1 for ldap binding, and the other for creating your keytab file.

if you PM me, we can do a webex or something and I’ll be happy to help you out.

8

The DN Administrator should be in this format, CN=openfireconnect, CN=Users,DC=too,DC=dominio,DC=com,DC=br rather than openfireconnect@too.dominio.com.br.

You may want to follow this tutorial instead, https://community.igniterealtime.org/thread/57684. It is for setup of SSO for Openfire under Windows 2012 R2.

9

Tan Akon,

I followed the suggested tutorial.

And the way you said, works both ways. I prefer this second.

But here is another detail that has not yet been found. When you find surely will post here the solution.

10

Theoretically we can make it work here.

It was verified via wireshark with the search filter with the word “Kerberos” and did not return the domain. But the subdomain for example “talk.xxx.xxx.xxx” and not as I wanted it to be. If only the domain “xxx.xxx.xxx”.

Now this all working properly.