I have a working Openfire 3.8.2 installation (Windows 2008 R2 server, SQLServer 2012 back end) with hundreds of users on Windows users auto logging on with Pandion and Norman Rasmussen’s NTLM libraries. This I wanted to upgrade to 3.10
Unfortunately the SSO part does not work anymore. I can login without SSO with Spark and Pandion. I have tried replacing the files with the latest nightly, and with a patched openfire.jar (from this thread Openfire GSSAPI / Kerberos login no longer working with 3.10.0 ) but to no avail. Java is the one shipped with 3.10.2 (1.70_79). I also tried using the JRE from 3.8.2. LDAP works fine but its the SSO part that doesnt. In the console from Pandion I get the following from an unsuccessful SSO login:
EVNT: Connecting to openfire.internal.domain
SENT: <?xml version="1.0"?>
SENT: <stream:stream to="internal.domain" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="internal.domain" id="c0c030fd" xml:lang="en" version="1.0">
RECV: <stream:features xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>NTLM</mechanism><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
SENT: <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="NTLM"/>
RECV: <challenge xmlns:stream="http://etherx.jabber.org/streams" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">TlRMTVNTUAACAAAAGAAYACAAAAAFAggA4Sc0LcvE0zx0AHIAaQBvAGQAbwBzAC4AYwBvAHIAcAA=</challenge>
SENT: <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">TlRMTVNTUAABAAAAl7II4gcABwAzAAAACwALACgAAAAGAbEdAAAAD05MMDEwV1MwODczVFJJ
T0RPUw==</response>
RECV: <failure xmlns:stream="http://etherx.jabber.org/streams" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><incorrect-encoding/></failure>
SENT: </stream:stream>
EVNT: Disconnected
RECV: </stream:stream>
I also get the error: Pandion
Cannot sign in. This may have one of the following causes:
which is evidently not true, as I can login without SSO and get the following from the console:
EVNT: Connecting to openfire.internal.domain
SENT: <?xml version="1.0"?>
SENT: <stream:stream to="internal.domain" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="internal.domain" id="ac392fba" xml:lang="en" version="1.0">
RECV: <stream:features xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>NTLM</mechanism><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
SENT: <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AHNyaG9kZXMAM1Zlcnl0aGluZw==</auth>
RECV: <success xmlns:stream="http://etherx.jabber.org/streams" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
SENT: <stream:stream to="internal.domain" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="internal.domain" id="ac392fba" xml:lang="en" version="1.0">
RECV: <stream:features xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/><session xmlns="urn:ietf:params:xml:ns:xmpp-session"><optional/></session></stream:features>
SENT: <compress xmlns="http://jabber.org/protocol/compress"><method>zlib</method></compress>
RECV: <compressed xmlns:stream="http://etherx.jabber.org/streams" xmlns="http://jabber.org/protocol/compress"/>
SENT: <stream:stream to="internal.domain" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="internal.domain" id="ac392fba" xml:lang="en" version="1.0">
RECV: <stream:features xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>NTLM</mechanism><mechanism>PLAIN</mechanism></mechanisms><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/><session xmlns="urn:ietf:params:xml:ns:xmpp-session"><optional/></session></stream:features>
SENT: <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AHNyaG9kZXMAM1Zlcnl0aGluZw==</auth>
RECV: <success xmlns:stream="http://etherx.jabber.org/streams" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
SENT: <stream:stream to="internal.domain" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="internal.domain" id="ac392fba" xml:lang="en" version="1.0">
RECV: <stream:features xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/><session xmlns="urn:ietf:params:xml:ns:xmpp-session"><optional/></session></stream:features>
SENT: <iq type="set" id="sd58"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><resource>Pandion</resource></bind></iq>
I’m not complicating things by using TLS or SSL.
Is there a solution on the way? Anyone else with these problems?
speedy
July 24, 2015, 8:21am
2
I use gssapi for sso and it works fine with the newest version. There may be a compatibility issue with the ntlm implementation… However, looking at the install.txt file, make sure you reinstall the security provider in jre/lib/security/java.security. Per the document, that gets overwritten during upgrades.
Thanks for the quick answer. We run Pandion on Citrix via App-V sequencing and although we have sequenced Spark, its not ready for prime time so I hope Pandion works with GSSAPI (a quick google seems to indicate that it does). Now I’m not sure why my previous colleague used the old SASL libraries.
I have carried the settings over from the old installation, including the java.security, openfire.xml, and the saslsspi.dll, sasl-sspi.jar and saslmechanisms.jar.
The instructions here look more complex though but i’ll have a look SSO Configuration . Are these still valid?
speedy
July 24, 2015, 12:52pm
4
you might want to try making sure you have the most current lib
http://norman.rasmussen.co.za/dl/sasl-sspi/
Also, if you’re wanting to use gssapi, for sso, it can be little tricky to get setup. Here is a pretty good doc Openfire+Spark on Windows Server 2008 R2 with SSO
also here is one I threw together How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2
.
Thanks for the help. I’ve switched to the GSSAPI, and followed the guide step by step in the PDF in DOC-2706. Its not working yet though, neither in Spark or Pandion.
Spark
Pandion
This is the output from Pandion’s console (F12).
EVNT: Connecting to openfiretest.domain.corp
SENT: <?xml version="1.0"?>
SENT: <stream:stream to="domain.corp" xml:lang="en" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="nl010vn0104" id="208f9f09" xml:lang="en" version="1.0">
RECV: <stream:features xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
SENT: <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="GSSAPI">YIINfwYJKoZIhvcSAQICAQBugg1uMIINaqADAgEFoQMCAQ6iBwMFACAAAACjggvzYYIL7zCCC+ugAwIBBaEOGwxUUklPRE9TLkNPUlCiLDAqoAMCAQKhIzAhGwR4bXBwGxlvcGVuZmlyZXRlc3QudHJpb2Rvcy5jb3Jwo4ILpDCCC6CgAwIBF6EDAgEDooILkgSCC470wE2VbPgHT4XQ/hHqeLU75k6wy776yJDf9hkYXR9MGO3HvecQUY02LSjk/UXzJqP/g0CwbSiLkBONJwKI+vFLy8/rwVLpHD7IoQUtECxdnIKh70lsyr/JB9LgyrJAn4vKu2LSD/VOqRTwEc82RJarSYfMPzwgHDsXrROREjvDt8xozxTK33t4KzpF8HOGXxzOzD1Mzbb08SLgWGSjczp/tDey8yuMAZDoJLew9YZ+/2OUdyr37uq1i9suKLLFMTWb8VssrjoPcgO+gU2KNT7uojUi6fb3w6YPA+4Pg7webQLpKDm5FV+Hcx6GpO7dzW06LmCwek7cRBThgA534pqjiGea3LexKe8MHsB0alh6RvwxY5QO0UYcsUtjfgKTQ5Fs1MwezNSdXFVnRe4Y/8gASXY6cnccNLD1WogvRu31zc2lT+pRj80OqseJR7OcoV704eUnPDA9VVAX2blUKMlQuhbazC70BgtSLu505CFzmzvzh+C0LG6cWwG1zNSvS9OyIKWE6PmUIa0VGp2/eATjOfFDvVlrVNE6NB0sYrV29qmhzWS0mzRn8Q//OPU5hZ5/XUKRMvd9YjCChPzQbpQ8U3BUTIPCVNBKU1d9R9CQ7GNUbazPw7Mr8g985Cy2QTC1nwTLU1dhyDDNHSzoqzeYfOzGl6C5hJqJKE7bwLPUwHejRUZd01vYqIXHVHcCmlJ5Du8AKJh0Qj9/s7athSeecuTXqumiFDHrTeu+iq79RRJaw8ly6RzyW/ryGMzbWSNLBEOVefm3/cF7ltJmujOe/opHRNTXvnUkLS5lDv7lTcHgbqtQt1XWRVc8UXwen+xu4wFnek33Mtx2Oil1cRxNtg7tF8tL+fMXO6hmVcbyHSrKI3yyK18hKSekxkxAay/U1TxG6VaH1bOrZ9U7Lv8mMZCN7pBGuMKkx64UArLUtqlkZb0HSOKni+tsabk5/Ls93L0PM2vcFeh9XSLOHEntUmiN2fqizfPdBRpQnRVGa4hyfh2oAmex7JC3rbFYFQQedZiUwbqfw21Teaz0KjZj/5bCYHLPJk1JXZrY5AFjWNNyTQSzyABE+vVDFFY2LN9l9VP42boMTNeFkUNBEy45qJoiLSsujAyGLoRLnuLI6Kxum/Y2wvm1bqxO8z++NoN52REJ1d8TvdCw81xmNipsXgMfUyV4l+hCxjvzmrGa0nzVt69KIVVADzoMVTp8ixOhXlmerT2YrvOBU2TLUgwyUzvytnl4jVHN3/ne68nDYz1f3/ZoxxYexlo5uuvl5OGHWxj0m1Ya3VWJiF2R8WdEUQdImKYk24xk01R/5u/JqTpI+9zeqR92l7SuJrxS4tJQgJul+mjwaHyRP6c/wXlf/SftmrkOLUi2ID+CdFNWuUBvVlDhFayolz06f+G1BIPETHWPLRcGz9x+2TTUT+b5NNUhHi/C1nPDpBcwRHKOqBN/dHF6gVmrb7aSYeOBjYOf93Cx/lZvSTYaGeexOcBrUBysfxpYqQOE01XkLjW7LZEgeHx1Gd+D6hCz6Yxg+YMiqlmt/HiQ/ocPcOYICkk7UW0RnEW3bQBIJXf4USVZc0MXrBvmmRnEouQBaG44EHEy8BMH91/8yFN0S6zzLYtyroN4WVu6mkn3pRXY6LgWHQQmLRJ3pZijfZFh4ziJe/QKF5q60AsHoP9Zj5ttE4mrOxcQ7aEiAFc9qG61mSPpTtT67hyNjIR0CXXHZ/dhlkWyX4hWF7+NnPH81LcynJ/u599F2j57WEA+CCm6a8aHgNenKNBr17ghtLIePEFCU+aFnLN/Rc7eCCK36zaCgJBarEpZiUafa5wss4raW+NLo676A/x4sCn4Vksgjn1op+VonPgpn1TMhAlKH0seTU11DVy+uTeGz4reR1uuHfABKnh1NQ4A5WVdWj9Uxv2QBAHtozCKZAPgb/hp9WRlzGIvnt/OcvYW4Q+ceHC3HhtouS5SkIdK9KMxz0+Bdmv14uqkWSyvSKNqNPGKHjxPLXw8C8lp79AyxuNHLisjbyhPlG9fm9SlwNx/HOv6tJAhbJwyy7aSvWqAYNdNlVyzH40tan06Jqw6kMfxCPDgiSkJaKKLYg0sHeS2vkrAzmePSve4DanPKH4oHKY1Gw5VbEnBhkf1XLwZdSyueRL+gcPJc/HwU/yRGTZQgnotTUWTr2Fvqz/MZ7CJhL+fMJPtq2A84N+5N+j5AiFyeGkxiRp4xej66U1yLMxWofpl9jpD6MpP2Yc6B3XtZda6FdvNjiU6Md3ufPlq7weLNtYKnA8Xc6HFGxvnYlHt5Z0ZmKutKNuipZZADWwcVGnQB0XzW983D/itt4WuYD/OV4DY1AU+nMhBuyUjuT48yykQFIhiT5Y6h8y9GhaOe+7fMOFQJRCLkA12IM5Wil3FEn/BoqGj1QFLxP4AMfZY3epbLYW+4cKNveGIuIHiR830jAKFSi8BiewLSck2hYAL7Utcbce9FeKX0GiXg1v93OEii0A7TNr9sgZBKhYW7xwAt8yI0Px213FALCM948ZrVeTOPlzkR784tTXS9h59tv9SEIy2nSjfe+bYia18qa3GeFo6FZla1l06sPChNohGTLLUZMrIA5Ypt14IichIkXHyJWS3y3kpeANqGXeiTAzGg9ud+9je+SkzJ4dnWNuQMWjUhY90QRITsiUYGAETFDJCSkAuwOAC8UdQzUAtEH1cdL14xWIbEvoOLjdxT+L7r8WovssZN+wpbAx7jSw2mpEaTTY3G2JrLQYZDpsYVRwusQzuDssMh3QikmlW2tfKL5VFp3uk40HTKAaDYCMFaKCW5bDoPvrsCN2O1qMcpV9rIKEzWVpy4HiPaqp/j5PSN1DYAWTp6LHsCNYil8ANuhUNG01XnfIKHLwC7HxbxX7bbHcQP/ydjKA0nNqw9PSTKy01rIYOa86I0v8JkosuLHK9coTIKlb8u5KJXdXHFzXoLrbcvZ+LDPr4MpnO/fNTIChvx0UuKz8eJhTcbMxl/QdZrLxyjSaG847A3CNveqI2e6bYvXeUcb52yUnQsYcqf7eAlgcdXf93wcx+CWBdGEavpWZpg8yq/KhQBMLVUA566X10nt87S14yYEhM0ugFRS86GmLyWT564c1RfTDz2mYKD1ItfOCJd2h18att3oFTg5wNTdPe1DMd5aqbg24WIos3I8AzEEnPa6I8DhOxK9JDOuywqNpfAZvUXUnHv6OtuuBo26Os1d37GZxxO4rqiDzKrRlC+29gW+KSOvUJ1/5Tkgr644+4lIt8VQ/p4uEXXKRODxb/NQPfijz6rQgo+dC67y4b4MrLM+YEoy7e961plqE7UNVayN+UXyLA1wzdwoV2Fels2r+cjuQ5ETxOhTU7kzEF6duhn5ZkdQmV0cpfrulOA/p8rX+AJt+0TBcEqfXv8bzHouTJn1ZAp3CUNSI3rWJ8ov/w2//mtzsOHtQSjzTn10P4dHtpCrH2gjEU15X2ttISi6kBEuxxLdQFG5CCLSS+vy0r75mB2yXOKda3slmeRVeAGA16sMqsamt8gV0WIpV4zLRQfrn6vr7NNPKGEAfoDEJBczbsv1VJZMtJmQmf+bkom6B0SY20iXXpnYj8uM617spX4CjXcT5u12X/23Bxa+a8zxHeTnvxhf/S7UaWzbtjwlo+/cWRJEbO7/0yB4LitxC1XzKLmiADiv+ieVpy1PXgk8NdYCqcCmyosJCo9IeWLo3/TjqOBvsuw+sHXSCo1M2zlIz2kY0jedivrotbT3pF7YovYZzNjFaSgTbq92rOmcW12l+f5NYd3Bw0kZq74XOEckQcJXIYml2z7CUcQwUfuLNXGWhFIkIlKiGDFMpyi7T+qlhkkBrhdnNjZtdYXbh+0O9bgBkWagbYAkTDI3bh6YRg9uju8qIt4k31vp7IL9GGFaw11mqQXAPk5YpXukTYq7bQd0FMygsmOlCkggFcMIIBWKADAgEXooIBTwSCAUv4rUZn3XEdGZTPdiRoB+3+NCKUjRmoM4t0jZHPEc07mI57qDZsIzIMehmXemU9Mcu8G66h4bpx7rYsLoJopsHRU4xvUlwllw/eLsEj1/dyCMzf0qpiq1DVXewgx05eEcHWpWncYLVXfFMMQzfMyWJYWol5r7YMbq2lWVHdj6Se/GdOiDI6DSfTEYnxVbZhTj7Zs0LY+nslSvTfSlfx8NGtr04Zu3uM6CEC2wmztLbLpToUNpHHF1OfkLfNvWoD5F/lAr/kSApxo5KDB7z5iNSF/23T6U8XVBiS0AwpK4Szk7geJWCfRk9Y4JN+WZS4e+kPnzU4fNMOlKiprKDE2fUuw7nM3prkHlhLb6nreZU6UhiLH0i6ikBGJEH2X5wCur3SyWqmTdWQQfcs1fGoBEQMKqRjqc3TiNlefqW+l/i3xKmxjqNit8vT2Omf</auth>
RECV: <failure xmlns:stream="http://etherx.jabber.org/streams" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>
SENT: </stream:stream>
EVNT: Disconnected
RECV: </stream:stream>
The Spark / Smack Debug shows this in the raw packets tab:
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="nl010vn0104" id="6dc6f83a" xml:lang="en" version="1.0">
<stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
<iq type="error" id="RHC3t-13" to="nl010vn0104/6dc6f83a"><ping xmlns="urn:xmpp:ping"/><error code="401" type="auth"><not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/></error></iq>
With Pandion login attempts, i also get this in my info.log on the openfire server.
2015.07.28 10:35:00 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context
I have created the new service account, setspn, created keytab, changed the group policy for encryption types, added the pointer and host in the reverse lookup, added the gss.conf, added the sasl, gssapi and authorization sections in openfire.xml, the xmpp.fdqn, and the krb5.ini on the server and client, and the registry changes also (with reboots).
The only thing I can think of is that I created the keytab in Java and not Windows.
speedy
July 28, 2015, 3:08pm
6
it looks like the issue is with your keytab file… I would try recreating it windows to see if that resolves your issue.
