powered by Jive Software

Problems with SSO

I’m having issues with getting SSO to work. It looks like I’m authenticating but not authorizing. I’ve tried to follow the instructions for SSO configuration as best as I can, but I continue to get the generic Spark error: “Unable to connect using Single Sign-On. Please check your principal and server settings.”

Here’s the basics:

Openfire 3.4.1 running on a CentOS5 server

Spark 2.5.7 clients running on WinXP SP2

Active Directory running on Win2k3 servers, 2 Domain controllers(if that matters)

Windows Domain/Kerberos Realm = DOCMAGIC.COM

Openfire server name = openfire

user created for keytab creation = xmpp-openfire

command line for creation of the keytab =

ktpass -princ --xmpp/openfire.docmagic.com@DOCMAGIC.COM-- -pass password -mapuser xmpp-openfire -out jabber.keytab

keytab file placed on Openfire server in /opt/openfire/resources, chown’d to daemon:daemon and chmod’d to 640

attached gss.conf found in /opt/openfire/conf

attached openfire.xml

error message found in Spark warn.log file:

Nov 14, 2007 6:23:57 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:
not-authorized(401)
     at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:94)
     at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:227)
     at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
     at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
     at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
     at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
     at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
     at java.lang.Thread.run(Unknown Source)

Things I’ve already tried with no change to results:

  1. Using Java 1.6 Update 3(Other tests were using 1.5.0.12)

  2. Adding allowtgtsessionkey information as described elsewhere to the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos key on the workstation.

  3. Setting both the testing user, and the keytab user(xmpp-openfire) to use DES for encryption(changing the password after the setting was changed).

  4. Restarting the openfire service/Rebooting Openfire server

  5. Added ssoEnabled=True and ssoAdv=True to the spark.properties file(Spark does detect the correct user name from Windows just fine)

Any help you can provide would be much appreciated. Thanks.

M@

Any errors in the openfire logs?

Sorry for not attaching these in my first post.

2007.11.15 11:10:32 [org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:682)] java.lang.NullPointerException
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:673)
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.java:99)
     at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:201)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(GroupCollection.java:102)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupCollection.java:65)
     at org.jivesoftware.openfire.roster.RosterManager.getSharedGroups(RosterManager.java:161)
     at org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:104)
     at org.jivesoftware.openfire.roster.RosterManager.getRoster(RosterManager.java:85)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.broadcastUpdate(PresenceUpdateHandler.java:280)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:122)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:110)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:174)
     at org.jivesoftware.openfire.PresenceRouter.handle(PresenceRouter.java:130)
     at org.jivesoftware.openfire.PresenceRouter.route(PresenceRouter.java:67)
     at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:75)
     at org.jivesoftware.openfire.net.StanzaHandler.processPresence(StanzaHandler.java:321)
     at org.jivesoftware.openfire.net.ClientStanzaHandler.processPresence(ClientStanzaHandler.java:84)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:245)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:167)
     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:162)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:240)
     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:284)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
2007.11.15 11:10:32 [org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:682)] java.lang.NullPointerException
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:673)
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.java:99)
     at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:201)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(GroupCollection.java:102)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupCollection.java:65)
     at org.jivesoftware.openfire.roster.RosterManager.getSharedGroups(RosterManager.java:161)
     at org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:104)
     at org.jivesoftware.openfire.roster.RosterManager.getRoster(RosterManager.java:85)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.broadcastUpdate(PresenceUpdateHandler.java:280)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:122)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:110)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:174)
     at org.jivesoftware.openfire.PresenceRouter.handle(PresenceRouter.java:130)
     at org.jivesoftware.openfire.PresenceRouter.route(PresenceRouter.java:67)
     at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:75)
     at org.jivesoftware.openfire.net.StanzaHandler.processPresence(StanzaHandler.java:321)
     at org.jivesoftware.openfire.net.ClientStanzaHandler.processPresence(ClientStanzaHandler.java:84)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:245)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:167)
     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:162)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:240)
     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:284)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
2007.11.15 11:10:33 [org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:682)] java.lang.NullPointerException
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:673)
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.java:99)
     at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:201)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(GroupCollection.java:102)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupCollection.java:65)
     at org.jivesoftware.openfire.roster.RosterManager.hasMutualVisibility(RosterManager.java:876)
     at org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:143)
     at org.jivesoftware.openfire.roster.RosterManager.getRoster(RosterManager.java:85)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.broadcastUpdate(PresenceUpdateHandler.java:280)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:122)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:110)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:174)
     at org.jivesoftware.openfire.PresenceRouter.handle(PresenceRouter.java:130)
     at org.jivesoftware.openfire.PresenceRouter.route(PresenceRouter.java:67)
     at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:75)
     at org.jivesoftware.openfire.net.StanzaHandler.processPresence(StanzaHandler.java:321)
     at org.jivesoftware.openfire.net.ClientStanzaHandler.processPresence(ClientStanzaHandler.java:84)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:245)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:167)
     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:162)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:240)
     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:284)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
2007.11.15 11:10:33 [org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:682)] java.lang.NullPointerException
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:673)
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.java:99)
     at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:201)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(GroupCollection.java:102)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupCollection.java:65)
     at org.jivesoftware.openfire.roster.RosterManager.hasMutualVisibility(RosterManager.java:876)
     at org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:143)
     at org.jivesoftware.openfire.roster.RosterManager.getRoster(RosterManager.java:85)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.broadcastUpdate(PresenceUpdateHandler.java:280)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:122)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:110)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:174)
     at org.jivesoftware.openfire.PresenceRouter.handle(PresenceRouter.java:130)
     at org.jivesoftware.openfire.PresenceRouter.route(PresenceRouter.java:67)
     at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:75)
     at org.jivesoftware.openfire.net.StanzaHandler.processPresence(StanzaHandler.java:321)
     at org.jivesoftware.openfire.net.ClientStanzaHandler.processPresence(ClientStanzaHandler.java:84)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:245)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:167)
     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:162)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:240)
     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:284)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
2007.11.15 11:10:33 [org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:682)] java.lang.NullPointerException
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:673)
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.java:99)
     at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:201)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(GroupCollection.java:102)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupCollection.java:65)
     at org.jivesoftware.openfire.roster.RosterManager.hasMutualVisibility(RosterManager.java:876)
     at org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:143)
     at org.jivesoftware.openfire.roster.RosterManager.getRoster(RosterManager.java:85)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.broadcastUpdate(PresenceUpdateHandler.java:280)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:122)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:110)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:174)
     at org.jivesoftware.openfire.PresenceRouter.handle(PresenceRouter.java:130)
     at org.jivesoftware.openfire.PresenceRouter.route(PresenceRouter.java:67)
     at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:75)
     at org.jivesoftware.openfire.net.StanzaHandler.processPresence(StanzaHandler.java:321)
     at org.jivesoftware.openfire.net.ClientStanzaHandler.processPresence(ClientStanzaHandler.java:84)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:245)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:167)
     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:162)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:240)
     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:284)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
2007.11.15 11:10:33 [org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:682)] java.lang.NullPointerException
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvider.java:673)
     at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.java:99)
     at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:201)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(GroupCollection.java:102)
     at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupCollection.java:65)
     at org.jivesoftware.openfire.roster.RosterManager.hasMutualVisibility(RosterManager.java:876)
     at org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:143)
     at org.jivesoftware.openfire.roster.RosterManager.getRoster(RosterManager.java:85)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.broadcastUpdate(PresenceUpdateHandler.java:280)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:122)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:110)
     at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateHandler.java:174)
     at org.jivesoftware.openfire.PresenceRouter.handle(PresenceRouter.java:130)
     at org.jivesoftware.openfire.PresenceRouter.route(PresenceRouter.java:67)
     at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:75)
     at org.jivesoftware.openfire.net.StanzaHandler.processPresence(StanzaHandler.java:321)
     at org.jivesoftware.openfire.net.ClientStanzaHandler.processPresence(ClientStanzaHandler.java:84)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:245)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:167)
     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:162)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:240)
     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:284)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)

M@

4 days and no more hits? Bump. Bump.

M@

It’s lonely in unanswered question land. Anyone out there???

M@

Check out this new document on SSO configuration. It might help a little.

Poppa

My main server I’ve been using is a CentOS5 box, but since this is now in production I’ve setup a Win2k3 server for testing SSO on. If I can get it to work on that box, I’ll see about implementing it on the production server.

That said, I had tried those steps on the linux box before and had no luck, but decided to give it another whirl on this test box. I setup everything per your instructions first using ktab to generate the keytab, and when that checksum failed, I tried using ktpass and still got a checksum failed error. Here is the error as displayed in the standard out running log provided by the Windows Openfire Server:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/xmpp.keytab refreshKrb5Config is falsCe principal is xmpp/dsasrv.docmagic.com@DOCMAGIC.COM tryFirstPass isfhae lse useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed Checksum failed
cksum failed !

M@

Is there anything in your warn.log or maybe the debug.log about SSO errors?

Poppa

2007.12.13 13:09:25 SaslException
javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)]
     at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)
     at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)
     at javax.security.sasl.Sasl.createSaslServer(Unknown Source)
     at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:211)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)
     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:173)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:239)
     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:283)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
     at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
     at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
     at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
     at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
     ... 21 more
Caused by: javax.security.auth.login.LoginException: Checksum failed
     at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
     at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
     at java.lang.reflect.Method.invoke(Unknown Source)
     at javax.security.auth.login.LoginContext.invoke(Unknown Source)
     at javax.security.auth.login.LoginContext.access$000(Unknown Source)
     at javax.security.auth.login.LoginContext$5.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
     at javax.security.auth.login.LoginContext.login(Unknown Source)
     at sun.security.jgss.GSSUtil.login(Unknown Source)
     at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)
     at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     ... 27 more
Caused by: KrbException: Checksum failed
     at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
     at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
     at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
     at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
     at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
     at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
     at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
     ... 43 more
Caused by: java.security.GeneralSecurityException: Checksum failed
     at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)
     at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)
     ... 50 more

M@

Have you copied your krb5.ini file to your Windows wildfire server and Windows clients? What’s your krb5.ini file look like?

Poppa

Yes, same file on both. Posted below.

[libdefaults]
    default_realm = DOCMAGIC.COM
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]
    DOCMAGIC.COM = {
        kdc = dcsrv1.docmagic.com
        admin_server = dcsrv1.docmagic.com
        default_domain = docmagic.com
    } [domain_realms]
    docmagic.com = DOCMAGIC.COM
    .docmagic.com = DOCMAGIC.COM

M@

This was the same error(s) I was getting when I had a bad keytab. Try using the Java util to create your keytab again and replace the one you have now with it. Make sure you stop the Openfire service to do this and lets see if the errors change any.

Poppa

Well that seemed to clear up the keytab issue, although I don’t know why. As I mentioned before, I had tried to use ktab originally and when that failed, I used ktpass. However, SSO is still not working. Below is the standard out message on the openfire server that is being displayed now, after recreating the keytab using java’s ktab utility.

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/dsasrv.docmagic.com@DOCMAGIC.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/dsasrv.docmagic.com@DOCMAGIC.COM
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: F9 58 96 EC C9 93 76 4A 54 BF 70 E5 65 95 FA 01 .X....vJT.p.e... EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 94 98 B5 20 E0 98 1A A7 EA 0D FE 43 51 04 67 F2 ... .......CQ.g.
0010: 57 67 4A B5 0B 62 97 37 EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 9E F7 46 0E 3B AE 9E 9E EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 9E F7 46 0E 3B AE 9E 9E Added server's keyKerberos Principal xmpp/dsasrv.docmagic.com@DOCMAGIC.COMKey Version 1key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: F9 58 96 EC C9 93 76 4A 54 BF 70 E5 65 95 FA 01 .X....vJT.p.e... [Krb5LoginModule] added Krb5Principal xmpp/dsasrv.docmagic.com@DOCMAGIC.COM to Subject
Added server's keyKerberos Principal xmpp/dsasrv.docmagic.com@DOCMAGIC.COMKey Version 1key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 94 98 B5 20 E0 98 1A A7 EA 0D FE 43 51 04 67 F2 ... .......CQ.g.
0010: 57 67 4A B5 0B 62 97 37 [Krb5LoginModule] added Krb5Principal xmpp/dsasrv.docmagic.com@DOCMAGIC.COM to Subject
Added server's keyKerberos Principal xmpp/dsasrv.docmagic.com@DOCMAGIC.COMKey Version 1key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 9E F7 46 0E 3B AE 9E 9E [Krb5LoginModule] added Krb5Principal xmpp/dsasrv.docmagic.com@DOCMAGIC.COM to Subject
Added server's keyKerberos Principal xmpp/dsasrv.docmagic.com@DOCMAGIC.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 9E F7 46 0E 3B AE 9E 9E [Krb5LoginModule] added Krb5Principal xmpp/dsasrv.docmagic.com@DOCMAGIC.COM to Subject
Commit Succeeded

M@

Hmm, usually if you get that far everything should be working. Everything in your log looks good now. What error message are you getting on the clients? What OS and what version of Spark are you using?

Poppa

This is odd, I am now getting this error when Spark first opens:

Can’t connect to server: invalid name or server not reachable.

Then if I click the Advanced button, and reselect to use SSO(it’s already specified in the spark.properties file, it just deselects if the first attempt fails) , I get this:

Unable to connect using Single Sign-On. Please check your principal and server settings.

The following is recorded in the client’s warn.log file:

Dec 17, 2007 9:53:58 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
XMPPError connecting to dsasrv.docmagic.com:5222.: remote-server-error(502) XMPPError connecting to dsasrv.docmagic.com:5222.
-- caused by: java.net.ConnectException: Connection refused: connect
at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection.java:830)
at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1276)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:822)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Nested Exception: java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.&lt;init&gt;(Unknown Source)
at java.net.Socket.&lt;init&gt;(Unknown Source)
at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection.java:815)
at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1276)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:822)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Dec 17, 2007 9:54:25 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
XMPPError connecting to dsasrv.docmagic.com:5222.: remote-server-error(502) XMPPError connecting to dsasrv.docmagic.com:5222.
-- caused by: java.net.ConnectException: Connection refused: connect
at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection.java:830)
at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1276)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:822)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Nested Exception: java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.&lt;init&gt;(Unknown Source)
at java.net.Socket.&lt;init&gt;(Unknown Source)
at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection.java:815)
at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1276)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:822)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)

The client machine is running XP Pro SP2, firewall is disabled via group policy, Java 1.5 installed, and the registry modifications in the doc have already been made. Spark version is 2.5.8.

M@

Did you specify the xmpp.fqdn setting in your Openfire Admin? Also, in your Spark “Advanced” config are you using the “Auto discover host…” option? If so try unchecking that and manually entering the fqdn to your Openfire server. Make sure the port is 5222. Enable Single-Sign On and try again. Post any errors in a reply.

Poppa

That was odd. I had stopped the openfire server after my last post, and when I relaunched it to double check the xmpp.fqdn setting, I was unable to log in. I had seen this before, and what I had to do was stop the service again, modify the openfire.xml file to say <setup>false</setup>. Then launch the admin page, run thru the setup again. For the most part, I just click the continue buttons because I don’t need to change anything, but for some reason, it forgets my type of LDAP server(Active Directory). I don’t know how or where this is stored in the xml file, but it’s happened a few times now. I know this isn’t really the place for this, I’ll open another question in the forum later.

Anywho, back to the problem at hand. After verifying that the xmpp.fqdn setting was indeed set correctly(it was), I unchecked auto discover on the client and put in the fqdn(rather than the short name) and got rid of the first error. However, SSO is still erroring out. Here’s the Raw Recieved Packets from the Smack Debug Window:

&lt;?xml version='1.0' encoding='UTF-8'?&gt;&lt;stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="dsasrv" id="200b87cb" xml:lang="en" version="1.0"&gt;
&lt;stream:features&gt;&lt;starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"&gt;&lt;/starttls&gt;&lt;mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"&gt;&lt;mechanism&gt;GSSAPI&lt;/mechanism&gt;&lt;/mechanisms&gt;&lt;compression xmlns="http://jabber.org/features/compress"&gt;&lt;method&gt;zlib&lt;/method&gt;&lt;/compression&gt;&lt;auth xmlns="http://jabber.org/features/iq-auth"/&gt;&lt;register xmlns="http://jabber.org/features/iq-register"/&gt;&lt;/stream:features&gt;
&lt;proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/&gt;
&lt;?xml version='1.0' encoding='UTF-8'?&gt;&lt;stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="dsasrv" id="200b87cb" xml:lang="en" version="1.0"&gt;&lt;stream:features&gt;&lt;mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"&gt;
&lt;mechanism&gt;GSSAPI&lt;/mechanism&gt;&lt;/mechanisms&gt;&lt;compression xmlns="http://jabber.org/features/compress"&gt;&lt;method&gt;zlib&lt;/method&gt;&lt;/compression&gt;&lt;auth xmlns="http://jabber.org/features/iq-auth"/&gt;&lt;register xmlns="http://jabber.org/features/iq-register"/&gt;
&lt;/stream:features&gt;
&lt;challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl"&gt;=&lt;/challenge&gt;
&lt;challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl"&gt;YDMGCSqGSIb3EgECAgIBAAD/////Af3tobHJ0Sp/R1VsWJ3kE4UpFgr6LXqeAQEAAAQEBAQ=&lt;/challenge&gt;
&lt;failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"&gt;&lt;not-authorized/&gt;&lt;/failure&gt;

And the contents of the warn.log file:

Dec 17, 2007 11:26:37 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed: at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:209) at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341) at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828) at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196) at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594) at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129) at java.lang.Thread.run(Unknown Source)

Hope that helps. Thanks so far for all of your help and attention to this problem Poppa Smurf.

M@

Whats your sections of your openfire.xml look like? Also, just for kicks have you verified that the user your attempting SSO login with can indeed login using manual username and password entry in Spark?

Poppa

Oh, as far as your openfire.xml problem and having to reconfigure it, it sounds like your using notepad or some strange editor to edit your openfire.xml file. Some editors dont preserve proper formating of this file required for the Openfire server to read it so it resets. I had this problem once before as well. Make sure you use Wordpad to edit the openfire.xml file. It will preserve the proper formating.

Poppa

Holy Copy and Paste Batman!

I just double checked my <sasl> section in the openfire.xml file and it seems that I hadn’t modified the realm from the stock “REALM.COM” to our specific realm. Doh! Keep in mind that this was a test box that I had just recreated on the fly based on your instructions. I verified and the xml file used in production has the correct realm name in there.

I think that using the fqdn in spark, and using the java keytab generator are probably going to be what will get this to work in our production environment. I’ll schedule some downtime tomorrow night and try it out and post a confirmation. At least now I have a working proof!!!

Thanks alot Poppa Smurf, if you were local(So Cal Area) I’d take you to lunch!

M@