You guys (papawu and DeeJay) beat me to the punch. Im glad others are starting to catch on to how this works. Thanks guys.
They are right, the easist way at this point is to create the krb5.ini it wants. Just make sure your realm name is upper case like papawu says.
I have some code for Spark that eliminates the need for that file, but its not been incorporated anywhere yet. Soon, I hope.
Slushpupie,
If it wasn’‘t for your help deejay and I wouldn’'t be able to help others. I really hope your code to eliminate the krb5.ini file will be in Spark soon.
Still get an error.
Here is the new krb5.ini:
default_realm = AD.MTSTRAVEL.COM
noaddresses = true
DOMAIN.LOCAL = {
kdc = MTS1.AD.MTSTRAVEL.COM
default_domain = AD.MTSTRAVEL.COM
}
Spark error log:
javax.security.sasl.SaslException: GSS initiate failed Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.MTSTRAVEL.COM)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.MTSTRAVEL.COM)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
… 9 more
Caused by: KrbException: Cannot get kdc for realm AD.MTSTRAVEL.COM
at sun.security.krb5.KrbKdcReq.send(Unknown Source)
at sun.security.krb5.KrbKdcReq.send(Unknown Source)
at sun.security.krb5.KrbTgsReq.send(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
… 12 more
not-authorized(401)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Lets make sure you have the format of that file correct. Here is what I think yours should look like:
[libdefaults]
default_realm = AD.MTSTRAVEL.COM
noaddresses = true [realms]
AD.MTSTRAVEL.COM = { <br />
kdc = mts1.ad.mtstravel.com <br/>
default_domain = ad.mtstravel.com<br/>
}
Note that mts1 is assumed to be your KDC. This needs to be a Windows Domain Controller (or whatever the terminology is these days). You can specify more than one in there if you have BDC’'s.
Aside: If you want to post text that requires specific formating (config files, some error messages, etc), the make sure you use the Preformatted option in the Rich Text editor, of if you use Plain Text editor put your text in code brackets like this:
\
foo
\{code } Which will generate this:
foo
Message was edited by: slushpupie
And make sure each entry is on seperate lines.
AD.MTSTRAVEL.COM = {
kdc = mts1.ad.mtstravel.com
default_domain = ad.mtstravel.com
}
The bolded lines can be lowercase?
The only thing that needs to be uppercase is the realm name. That only shows up twice in your file- when you specify the default, and when you configure its options. The “kdc” and “default domain” options are domain names, which are technically speaking case intensive/preserving. Most people use them in the lower case sense, so I suggest keeping with that to help distinguish between realms and domains.
Well they did not bold…haha. nothing is going my way today.
I have verified that the file looks as you state. I Stll get a an error in spark:
javax.security.sasl.SaslException: GSS initiate failed Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
… 9 more
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbTgsRep.(Unknown Source)
… 17 more
not-authorized(401)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Ok, progress is being made. This next error “KDC has no support for encryption type (14)” is a deceiving error. On newer versions of Windows (XP SP2, etc) Microsoft changed the way things work a little. To get Java to work with it, you need to edit the registry.
Depending on the OS, the setting is in a different location:
For Windows 2003 and Windows 2000 SP4:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01 ( default is 0 )
Here is the location of the registry setting on Windows XP SP2:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Could this be caused by the type of encryption in the jabber.keytab
No. Its a very misleading error message. If the encryption type were wrong, it would list the type number as something other than 14. Check your server logs, because Openfire would report the same error if it is an enctype error. I dont know why Java reports this as a bad enctype, I wish they would say what it really is, or at least set the type to 0 (that would be reasonable in this case too)
Ok so now the error log is much different after adding the registry entry. Now I get this:
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Now we need to switch to the server to see why authentication failed. Things look good on the client side.
If you have debugging turned on, you should see a bunch of stuff in the debug log at the time you tried to log in.
Now the server is reporting these errors:
WARN:
2007.06.04 12:31:46 SaslException
javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))
at com.sun.security.sasl.gsskerb.GssKrb5Server.(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)
… 20 more
DEBUG:
2007.06.04 12:32:04
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:232)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:206)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProce ssor.java:44)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:506)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Copy your krb5.ini over to the server, its in the same state.
I figured that is what that meant, and did that already. I also added the registry fix. That seems to have done it. Now I need to build an installer that does all this automatically on a windows machine.
So I was able to build a custom spark.msi that encorporates the krb5.ini and the registry settings. Installed it on 2 other machine and they worked no problem. Thanks to everyone for the help. We really need to consolidate all this into a step by step for windows users, although this thread is now pretty complete.
As Ive said before, SSO in Spark is still very young, and the SSO support in Openfire was designed around Unix. There are still improvements coming, so this process will change for Windows users. Its not for the weak hearted yet.
That is very true. But i must say it was fairly painless with all the excellent support for you all.
So what did you use to create the msi. I’‘ve been wanting to learn how to do that just haven’'t had the time to figure it out.