powered by Jive Software

Spark 2.5.3b1 SSO can''t find krb5.ini

After working with Slushpupie getting Openfire configured to use GSSAPI, I still can’'t get Spark 2.5.3b1 to connect using SSO.

This what I see in the Spark error log. The Openfire logs are showing nothing.

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))

at com.sun.security.sasl.gsskerb.GssKrb5Client.<init>(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(Unknown Source)

at javax.security.sasl.Sasl.createSaslClient(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:70)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 192)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:782)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))

at sun.security.jgss.krb5.Krb5NameElement.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getNameElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.getElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.init(Unknown Source)

at sun.security.jgss.GSSNameImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)

… 11 more

not-authorized(401)

Any new info on this?

Derek, from yesterday’'s chat you said you was setting up an AD test environment to see if you can reproduce my error.

Any luck with this?

I have an AD setup now, but we just got all the software on it to start testing. It may be a few days. Perhaps longer, perhaps shorter. Depends on how busy my full time job makes me.

Great,

Here is a wireshark packet sniff from the workstation on i’'m on. Not sure if this will help.

No. Time Source Destination Protocol Info

1 0.000000 YY.YY.YY.YY XX.XX.XX.XX Jabber/XML Request:

Frame 1 (55 bytes on wire, 55 bytes captured)

Ethernet II, Src: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39), Dst: Vmware_9c:23:2c (00:50:56:9c:23:2c)

Internet Protocol, Src: YY.YY.YY.YY (YY.YY.YY.YY), Dst: XX.XX.XX.XX (XX.XX.XX.XX)

Transmission Control Protocol, Src Port: 4462 (4462), Dst Port: 5222 (5222), Seq: 0, Ack: 0, Len: 1

Jabber XML Messaging

No. Time Source Destination Protocol Info

2 0.000332 XX.XX.XX.XX YY.YY.YY.YY TCP 5222 > 4462 Seq=0 Ack=1 Win=6432 Len=0

Frame 2 (64 bytes on wire, 64 bytes captured)

Ethernet II, Src: Vmware_9c:23:2c (00:50:56:9c:23:2c), Dst: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39)

Internet Protocol, Src: XX.XX.XX.XX (XX.XX.XX.XX), Dst: YY.YY.YY.YY (YY.YY.YY.YY)

Transmission Control Protocol, Src Port: 5222 (5222), Dst Port: 4462 (4462), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info

3 6.382848 YY.YY.YY.YY XX.XX.XX.XX TCP 4611 > 5222 Seq=0 Len=0 MSS=1460

Frame 3 (62 bytes on wire, 62 bytes captured)

Ethernet II, Src: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39), Dst: Vmware_9c:23:2c (00:50:56:9c:23:2c)

Internet Protocol, Src: YY.YY.YY.YY (YY.YY.YY.YY), Dst: XX.XX.XX.XX (XX.XX.XX.XX)

Transmission Control Protocol, Src Port: 4611 (4611), Dst Port: 5222 (5222), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

4 6.383236 XX.XX.XX.XX YY.YY.YY.YY TCP 5222 > 4611 Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 4 (64 bytes on wire, 64 bytes captured)

Ethernet II, Src: Vmware_9c:23:2c (00:50:56:9c:23:2c), Dst: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39)

Internet Protocol, Src: XX.XX.XX.XX (XX.XX.XX.XX), Dst: YY.YY.YY.YY (YY.YY.YY.YY)

Transmission Control Protocol, Src Port: 5222 (5222), Dst Port: 4611 (4611), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info

5 6.383265 YY.YY.YY.YY XX.XX.XX.XX TCP 4611 > 5222 Seq=1 Ack=1 Win=65535 Len=0

Frame 5 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39), Dst: Vmware_9c:23:2c (00:50:56:9c:23:2c)

Internet Protocol, Src: YY.YY.YY.YY (YY.YY.YY.YY), Dst: XX.XX.XX.XX (XX.XX.XX.XX)

Transmission Control Protocol, Src Port: 4611 (4611), Dst Port: 5222 (5222), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol Info

  6 6.408423    YY.YY.YY.YY           XX.XX.XX.XX           Jabber/XML Request: &lt;stream:stream to="im.domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0"&gt;

Frame 6 (174 bytes on wire, 174 bytes captured)

Ethernet II, Src: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39), Dst: Vmware_9c:23:2c (00:50:56:9c:23:2c)

Internet Protocol, Src: YY.YY.YY.YY (YY.YY.YY.YY), Dst: XX.XX.XX.XX (XX.XX.XX.XX)

Transmission Control Protocol, Src Port: 4611 (4611), Dst Port: 5222 (5222), Seq: 1, Ack: 1, Len: 120

Jabber XML Messaging

No. Time Source Destination Protocol Info

7 6.408760 XX.XX.XX.XX YY.YY.YY.YY TCP 5222 > 4611 Seq=1 Ack=121 Win=5840 Len=0

Frame 7 (64 bytes on wire, 64 bytes captured)

Ethernet II, Src: Vmware_9c:23:2c (00:50:56:9c:23:2c), Dst: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39)

Internet Protocol, Src: XX.XX.XX.XX (XX.XX.XX.XX), Dst: YY.YY.YY.YY (YY.YY.YY.YY)

Transmission Control Protocol, Src Port: 5222 (5222), Dst Port: 4611 (4611), Seq: 1, Ack: 121, Len: 0

No. Time Source Destination Protocol Info

  8 6.410357    XX.XX.XX.XX           YY.YY.YY.YY           Jabber/XML Response: &lt;?xml version=''1.0'' encoding=''UTF-8''?&gt;&lt;stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="im.domain.com" id="a4cde116" xml:lang="en" version="1.0"&gt;

Frame 8 (242 bytes on wire, 242 bytes captured)

Ethernet II, Src: Vmware_9c:23:2c (00:50:56:9c:23:2c), Dst: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39)

Internet Protocol, Src: XX.XX.XX.XX (XX.XX.XX.XX), Dst: YY.YY.YY.YY (YY.YY.YY.YY)

Transmission Control Protocol, Src Port: 5222 (5222), Dst Port: 4611 (4611), Seq: 1, Ack: 121, Len: 188

Jabber XML Messaging

No. Time Source Destination Protocol Info

9 6.564831 YY.YY.YY.YY XX.XX.XX.XX TCP 4611 > 5222 Seq=121 Ack=189 Win=65347 Len=0

Frame 9 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39), Dst: Vmware_9c:23:2c (00:50:56:9c:23:2c)

Internet Protocol, Src: YY.YY.YY.YY (YY.YY.YY.YY), Dst: XX.XX.XX.XX (XX.XX.XX.XX)

Transmission Control Protocol, Src Port: 4611 (4611), Dst Port: 5222 (5222), Seq: 121, Ack: 189, Len: 0

No. Time Source Destination Protocol Info

 10 6.565357    XX.XX.XX.XX           YY.YY.YY.YY           Jabber/XML Response: &lt;stream:features&gt;&lt;mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"&gt;&lt;mechanism&gt;GSSAPI&lt;/mechani sm&gt;&lt;/mechanisms&gt;&lt;compression xmlns="http://jabber.org/features/compress"&gt;&lt;method&gt;zlib&lt;/method&gt;&lt;/compression&gt;&lt;auth xmlns="http://jabber.org/features/iq-auth"/&gt;&lt;/stream:features&gt;

Frame 10 (326 bytes on wire, 326 bytes captured)

Ethernet II, Src: Vmware_9c:23:2c (00:50:56:9c:23:2c), Dst: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39)

Internet Protocol, Src: XX.XX.XX.XX (XX.XX.XX.XX), Dst: YY.YY.YY.YY (YY.YY.YY.YY)

Transmission Control Protocol, Src Port: 5222 (5222), Dst Port: 4611 (4611), Seq: 189, Ack: 121, Len: 272

Jabber XML Messaging

No. Time Source Destination Protocol Info

11 6.570752 YY.YY.YY.YY XX.XX.XX.XX Jabber/XML Request: <iq id=“Cy1Ih-4” type=“get”><query xmlns=“jabber:iq:auth”><username>user1</username></query>& lt;/iq>

Frame 11 (151 bytes on wire, 151 bytes captured)

Ethernet II, Src: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39), Dst: Vmware_9c:23:2c (00:50:56:9c:23:2c)

Internet Protocol, Src: YY.YY.YY.YY (YY.YY.YY.YY), Dst: XX.XX.XX.XX (XX.XX.XX.XX)

Transmission Control Protocol, Src Port: 4611 (4611), Dst Port: 5222 (5222), Seq: 121, Ack: 461, Len: 97

Jabber XML Messaging

No. Time Source Destination Protocol Info

12 6.573898 XX.XX.XX.XX YY.YY.YY.YY Jabber/XML Response: <iq type=“result” id=“Cy1Ih-4”><query xmlns=“jabber:iq:auth”><username>user1</username><password/&g t;<resource/></query></iq>

Frame 12 (176 bytes on wire, 176 bytes captured)

Ethernet II, Src: Vmware_9c:23:2c (00:50:56:9c:23:2c), Dst: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39)

Internet Protocol, Src: XX.XX.XX.XX (XX.XX.XX.XX), Dst: YY.YY.YY.YY (YY.YY.YY.YY)

Transmission Control Protocol, Src Port: 5222 (5222), Dst Port: 4611 (4611), Seq: 461, Ack: 218, Len: 122

Jabber XML Messaging

No. Time Source Destination Protocol Info

13 6.574602 YY.YY.YY.YY XX.XX.XX.XX Jabber/XML Request: <iq id=“Cy1Ih-5” type=“set”><query xmlns=“jabber:iq:auth”><username>user1</username><password/&g t;<resource>spark</resource></query></iq>

Frame 13 (188 bytes on wire, 188 bytes captured)

Ethernet II, Src: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39), Dst: Vmware_9c:23:2c (00:50:56:9c:23:2c)

Internet Protocol, Src: YY.YY.YY.YY (YY.YY.YY.YY), Dst: XX.XX.XX.XX (XX.XX.XX.XX)

Transmission Control Protocol, Src Port: 4611 (4611), Dst Port: 5222 (5222), Seq: 218, Ack: 583, Len: 134

Jabber XML Messaging

No. Time Source Destination Protocol Info

14 6.576288 XX.XX.XX.XX YY.YY.YY.YY Jabber/XML Response: <iq type=“error” id=“Cy1Ih-5” to=“im.domain.com/a4cde116”><query xmlns=“jabber:iq:auth”><username>user1</username><password/&g t;<resource>spark</resource></query><error code=“401” type=“auth”><not-authorized xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”/></error></iq>

Frame 14 (319 bytes on wire, 319 bytes captured)

Ethernet II, Src: Vmware_9c:23:2c (00:50:56:9c:23:2c), Dst: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39)

Internet Protocol, Src: XX.XX.XX.XX (XX.XX.XX.XX), Dst: YY.YY.YY.YY (YY.YY.YY.YY)

Transmission Control Protocol, Src Port: 5222 (5222), Dst Port: 4611 (4611), Seq: 583, Ack: 352, Len: 265

Jabber XML Messaging

No. Time Source Destination Protocol Info

15 6.765472 YY.YY.YY.YY XX.XX.XX.XX TCP 4611 > 5222 Seq=352 Ack=848 Win=64688 Len=0

Frame 15 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Toshiba_3d:1f:29 (00:0e:7b:3d:1f:39), Dst: Vmware_9c:23:2c (00:50:56:9c:23:2c)

Internet Protocol, Src: YY.YY.YY.YY (YY.YY.YY.YY), Dst: XX.XX.XX.XX (XX.XX.XX.XX)

Transmission Control Protocol, Src Port: 4611 (4611), Dst Port: 5222 (5222), Seq: 352, Ack: 848, Len: 0

What I see in the conversation is the client sent a normal style auth, instead of doing a GSSAPI response. It basicly means that Spark was not able to obtain the credentials from Windows, and tried to fall back (and failed, in this case)

This what i get in the Output.log from Spark

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is user1@DOMAIN.LOCAL

Commit Succeeded

Could this have something to do with my issue? My AD domain is domain.local while the FQDN of my Openfire server is im.domain.com

http://www.igniterealtime.org/issues/browse/SMACK-224

According to the “Smack Info” tab in spark 2.5.3b1, it is running 3.0.0. The issue mentioned was fixed in 3.0.3.

Yes and no. This issue will impact you, but spark isnt getting far enough along to even authenticate with GSSAPI yet. You will need to wait for a newer version of Spark before it will work for you.

Where you able to pin point my issue? How far down in the Spark releases will I have to wait to use SSO?

I was not able to 100% pinpoint it yet, but I have learned a few things that will make Spark non-functional on a Windows client in AD for SSO. Since Im just a volunteer at this point, the timeline will be dependent on how much free time I can find to work on it, unless other people with knowledge of Kerberos and Java can help me out.

This error is given because java on the client doesn’'t know which REALM to use by default, or the KDC for that realm.

You can either specify those options as parameters to Java, or create the krb5.ini file.

On my client, I created the file (in c:\windows) as follows:

default_realm = LONDON.ACME.COM

LONDON.ACME.COM = {

kdc = DC1.LONDON.ACME.COM

default_domain = LONDON.ACME.COM

}

edited to add: libdefault and realms should be in square brackets, but the forum broke the formatting

Message was edited by: DeeJay

Correct. The next version of Spark should address this issue without needing a krb5.ini on most windows clients. In the directions I gave in the other post, using the batch files to start spark and openfire is what told java about the realm and KDC (the -Djava.security.krb5.realm/kdc options).

Thanks for the input. Now I get the following.

javax.security.sasl.SaslException: GSS initiate failed Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm SIS-US.LOCAL)

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:782)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

This what my krb5.ini looks like. And yes I do have the square brackets around libdefaults and realms.

default_realm = DOMAIN.LOCAL

DOMAIN.LOCAL = { kdc = DC1.DOMAIN.LOCAL default_domain = DOMAIN.LOCAL }

Ok, this thread is getting huge, and I think we have multiple problems going on. Please make a separate post for new problems so we can keep things organized.

Slushpuppie,

I don’'t think there are multiple problems here. But I will open a new thread with my current issue.

My appolgies- I thought this was on the other thread- no need to open a new one.

Can you do this for me?

Run the command nslookup with no arguments.

Then type:

set type=SRV

kerberos.udp.sis-us.local

This should return a list of your KDC’'s. Is that what you put in your krb5.ini?

I get the following.

  • dc1.sis-us.local can’'t find kerberos.udp-sis-us.local: Non-existent domain

But did resolve that error by making sure kdc = and default domain =, where on seperate lines.

I am now getting this error

javax.security.sasl.SaslException: GSS initiate failed Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:782)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Getting there.

So, that indicates the KDC has been contacted, but it couldn’'t find the security principal.

I’‘m guessing that is because you don’'t have a reverse lookup for you server name or the principal is wrong in AD?

Could you try to lookup that? i.e. if your server is called server.ad.domain. Do a lookup on the name then a lookup on the resulting IP address.

i.e. nslookup server.ad.domain returns 1.2.3.4 then

nslookup 1.2.3.4 returns xmppserver.ad.domain

The client will then look in AD for a security principal called xmpp/xmppserver.ad.domain@REALM.

From all accounts, it cannot find that…

Message was edited by: DeeJay

I do have a reverse lookup for my DC.