SASLError using DIGEST-MD5: not-authorized after Smack update from version 4.0.4 to 4.1.0


I’ve just updated to version 4.1.0 of Smack and I now get this error when trying to login:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using DIGEST-MD5: not-authorized

at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthenticati

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPC

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$200(XMPPTCPCon

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$


I’m using:

new XMPPTCPConnection (XmppStringUtils.escapeLocalpart (""),


I’ve also tried with using the builder for the connection but get the same error.

I have the following jars in the classpath and am using Java 7:









I’m trying to connect to an Openfire server (under my control) running 3.9.3.

This worked fine with 4.0.4 of Smack. The user account has been setup correctly in Openfire and the password is correct. Everything was running smoothly with version 4.0.4.

On the server the “xmpp.domain” setting is “”.

I have a RSA CA signed certificate setup for “” (not the real domain btw) in Openfire. However I do not have a DSA one setup (Openfire offers to set one up for me).

Can anyone point out what I’m doing wrong and/or missing?



Try using the users full JID as username, not just the localpart.

Would that be: me\ then? If so I’ve tried that (and just about every other combination I can think of) and I get the same error.

Would I need to specify the full JID when creating the user? (Which I’m doing via just via the email and the Users plugin at the moment).

Also I never had to use the full JID with 4.0.4 did something change that now requires it?

I’ve discovered that the problem relates to the @ in the username. If I change the character to anything else (such as !) then things work perfectly as they did before.

It doesn’t matter if I escape the local part or not the problem still remains. Is this a problem with the 4.1.0 release given that the previous 4.0.4 release didn’t have this issue or am I doing something wrong in how I setup the account via the Users plugin?

Hmm, I just noticed: Why do you use escapeLocalpart() on the username?

Because the special characters in the email address need to be escaped, if you don’t you get this sort of thing (I’m using my real email address):

[java] 04:45:41 PM SENT (0): <stream:stream xmlns=‘jabber:client’ to=‘’ xmlns:stream=‘’ version=‘1.0’ from=‘’ xml:lang=‘en’>

As I say this worked fine (with escaping) in the 4.0.4 version. Also if I replace the @ with a ! then it works fine.

If I try and use the full JID I get:

[java] 04:49:18 PM SENT (0): <stream:stream xmlns=‘jabber:client’ to=‘’ xmlns:stream=‘’ version=‘1.0’ from=‘’ xml:lang=‘en’>

There seems to be a misunderstanding when escaping the localpart is needed. The “username” String from the XMPP point of view, is an abstract String. It’s usually the normalized localpart of a user’s JID, but that’s up to the server implementation. BTW, is your XMPP domain “”, or “”? Make sure it’s correctly configured in the connection configuration. Try using just the JID’s localpart, e.g. “me” as username.

The full email address is the username, so The server is “”. I don’t want my users to have to try and dream up usernames. Since I’m using the email address I have to escape it, at least I did have to in 4.0.4.

The full email address is the username, so The server is “”. I don’t want my users to have to try and dream up usernames. Since I’m using the email address I have to escape it, at least I did have to in 4.0.4.

That’s an usual setup You usually want your XMPP domain to be “”, so that users are reachable via e.g. "", and their username would be e.g. “gary”. Usually XMPP clients just ask for the users JID and the password. So if a user enters "" and “mypassword”, the client would extract the localpart, lookup the XMPP service for “” and login with the extracted localpart as username and password.

If you escape the email address which you use as “username” for login by means of xep-106, then it will become e.g. “gary\”, so this has to be username in the openfire database and not "". I assume you are aware of that. While I don’t see any reason why e.g. the backslash should cause any problems, you could try creating a test user with a simple username like “testuser” and see if it works.

I’m not using Smack and Openfire as a standard XMPP client. It is being used as a private network message transfer system. It won’t be public, standard XMPP clients won’t be able to read messages (the content will be PGP encrypted) and if they do consume messages then it would mess things up, I have a stateful messaging protocol in place. I also don’t want people having to dream up their own usernames.

I don’t really understand what has changed. In 4.0.4 using the escaped full email address worked fine. Openfire has a user with username "" and that has been working ok for months. Only when I changed to 4.1.0 did it break down.

I’m not sure I follow your escaping instance there, the escaping is there to provide substitutions of special characters so should become (and does) gary\40 When I create the user in Openfire I am escaping the email address/username so I’m sending gary\ however in the admin browser it shows up as "".

I have tried with a standard username and that works fine and as I mentioned further up, if I change the @ to a ! then it works with no problems.