powered by Jive Software

Single Sign-On ist not working

Hello there,

I’v got some troubles getting SSO working in a Windows domain.

That’s my situation:

  • Openfire is running on a SUSE Linux Enterprise Server

  • Spark is used in a Windows Server 2003 SDT Domain

I’v nearly read all documents and threads in the community-board about SSO. Nevertheless I hope you can help me

Here are the error-logs:

openfire web-console:

error.log:

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)
2010.10.05 14:52:08 [org.jivesoftware.openfire.handler.IQHandler.process(IQHandler.java:69)] Internal server error
java.lang.NullPointerException
at java.util.regex.Matcher.quoteReplacement(Unknown Source)
at org.jivesoftware.openfire.ldap.LdapVCardProvider$VCard.treeWalk(LdapVCardProvid er.java:517)
at org.jivesoftware.openfire.ldap.LdapVCardProvider$VCard.treeWalk(LdapVCardProvid er.java:521)
at org.jivesoftware.openfire.ldap.LdapVCardProvider$VCard.getVCard(LdapVCardProvid er.java:498)
at org.jivesoftware.openfire.ldap.LdapVCardProvider.loadVCard(LdapVCardProvider.ja va:211)
at org.jivesoftware.openfire.vcard.VCardManager.getOrLoadVCard(VCardManager.java:2 22)
at org.jivesoftware.openfire.vcard.VCardManager.getVCard(VCardManager.java:215)
at org.jivesoftware.openfire.handler.IQvCardHandler.handleIQ(IQvCardHandler.java:1 08)
at org.jivesoftware.openfire.handler.IQHandler.process(IQHandler.java:49)
at org.jivesoftware.openfire.IQRouter.handle(IQRouter.java:351)
at org.jivesoftware.openfire.IQRouter.route(IQRouter.java:101)
at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:68)
at org.jivesoftware.openfire.net.StanzaHandler.processIQ(StanzaHandler.java:319)
at org.jivesoftware.openfire.net.ClientStanzaHandler.processIQ(ClientStanzaHandler .java:79)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:284)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:176)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:133)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)

warn.log:

is empty.

info.log:

2010.10.05 13:28:16 User Login Failed. GSS initiate failed
2010.10.05 13:35:52 User Login Failed. GSS initiate failed
2010.10.05 14:00:45 User Login Failed. GSS initiate failed
2010.10.05 14:05:36 User Login Failed. GSS initiate failed
2010.10.05 14:08:59 User Login Failed. GSS initiate failed
2010.10.05 14:11:56 User Login Failed. GSS initiate failed
2010.10.05 14:16:24 User Login Failed. GSS initiate failed

debug.log:

2010.10.05 15:45:23 Stat: proxyTransferRate. Last sample: 1286286240. New sample: 1286286300
2010.10.05 15:45:23 008890 (01/05/00) - Connection #2 tested: OK
2010.10.05 15:45:23 008891 (01/05/00) - Connection #2 tested: OK
2010.10.05 15:45:23 008891 (01/05/00) - Connection #3 tested: OK
2010.10.05 15:45:23 008892 (01/05/00) - Connection #3 tested: OK
2010.10.05 15:45:23 008892 (01/05/00) - Connection #4 tested: OK
2010.10.05 15:45:23 008893 (01/05/00) - Connection #4 tested: OK
2010.10.05 15:45:23 Stat: muc_occupants. Last sample: 1286286240. New sample: 1286286300
2010.10.05 15:45:23 008893 (01/05/00) - Connection #5 tested: OK
2010.10.05 15:45:23 008894 (01/05/00) - Connection #5 tested: OK
2010.10.05 15:45:44 JettyLog: EXCEPTION
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.mortbay.io.nio.ChannelEndPoint.fill(ChannelEndPoint.java:122)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:282)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:205)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)
2010.10.05 15:45:44 JettyLog: EOF
2010.10.05 15:46:05 LdapManager: Trying to find a user’s DN based on their username. sAMAccountName: jalo, Base DN: ou=“planta user”, dc=“planta”, dc=“de”…
2010.10.05 15:46:05 LdapManager: Creating a DirContext in LdapManager.getContext()…
2010.10.05 15:46:05 LdapManager: Created hashtable with context values, attempting to create context…
2010.10.05 15:46:05 LdapManager: … context created successfully, returning.
2010.10.05 15:46:05 LdapManager: Starting LDAP search…
2010.10.05 15:46:05 LdapManager: … search finished
2010.10.05 15:46:05 LdapManager: Trying to find a user’s DN based on their username. sAMAccountName: jalo, Base DN: ou=“planta user”, dc=“planta”, dc=“de”…
2010.10.05 15:46:05 LdapManager: Creating a DirContext in LdapManager.getContext()…
2010.10.05 15:46:05 LdapManager: Created hashtable with context values, attempting to create context…
2010.10.05 15:46:05 LdapManager: … context created successfully, returning.
2010.10.05 15:46:05 LdapManager: Starting LDAP search…
2010.10.05 15:46:05 LdapManager: … search finished
2010.10.05 15:46:05 LdapManager: Creating a DirContext in LdapManager.getContext()…
2010.10.05 15:46:05 LdapManager: Created hashtable with context values, attempting to create context…
2010.10.05 15:46:05 LdapManager: … context created successfully, returning.

Spark:

Smack Debug Window:

Raw Sent Packets:

<stream:stream to=“plantaXXX.planta.de” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“planta.de” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
XXX

Raw Received Packets:

<?xml version='1.0' encoding='UTF-8'?>

stream:featuresGSSAPI</mechani sms>zlib</stream:features>

<?xml version='1.0' encoding='UTF-8'?>GSSAPIzlib

Spark log’s:

error.log:

is empty.

warn.log:

05.10.2010 15:48:16 org.jivesoftware.spark.util.log.Log warning
WARNUNG: Exception in Login:
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)

This is my gss.conf:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/opt/openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
isInitiator=false
realm="PLANTA.DE"
principal="xmpp/plantaXXX.planta.de@PLANTA.DE"
debug=true;
};

Openfire.xml:

<?xml version="1.0" encoding="UTF-8"?>
9090 9091 en org.jivesoftware.database.DefaultConnectionProvider PLANTA.DE org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider net.sourceforge.jtds.jdbc.Driver jdbc:jtds:sqlserver://plantaXX/Openfire;appName=jive openfire XXX select 1 true true 5 25 1.0 true true

krb5.ini:

[libdefaults]
default_realm = PLANTA.DE
noaddresses = true

[realms]
PLANTA.DE = {
kdc = plantaXX.planta.de
admin_server = plantaXX.planta.de
default_domain = planta.de
}

[domain_realms]
planta.de = PLANTA.DE
.planta.de = PLANTA.DE

Adding the reg-key is also done.

xmpp.fqdn is plantaXX.planta.de

klist on the SUSE-server is also working:

plantaXX:~ # kinit
Password for jalo@PLANTA.DE:
plantaXX:~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jalo@PLANTA.DE

Valid starting Expires Service principal
10/05/10 16:02:37 10/06/10 02:02:40 krbtgt/PLANTA.DE@PLANTA.DE
renew until 10/06/10 02:02:37

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
plantaXX:~ #

Where is the problem?

Thanks in advance!

Greetings,

Jahn