Spark 2.5.3b1 SSO

Well, it looks pretty in the UI, but doesn’'t work in our environment.

Has anyone got this working? We’'re using LDAP Authentication (against AD) and the latest release of Openfire if that makes a difference.

The debug logs show that it identifies my user object in the directory OK, but the authentication fails with:

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

I presume the current default Openfire install doesn’'t support this yet?

It works with our AD environment with the latest Openfire release.

Damn, that was what was worrying me.

Are you sure it’'s working? If I set Spark up to remember my username and password, then I can login (obviously).

If I then subsequently tell Spark to use SSO, the login works. However, it seems to be failing back to my old username and password that it knows from before.

Deejay,

It seems you are right I am following the sames steps you mentioned and can’'t sign on using SSO.

I am seeing the same error in my Openfire Debug error log.

Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:

AcceptSecurityContext error, data 52e, vece?]

Below are the outputs of my error.log and my output.log from spark.

Error.log:

SASL authentication failed:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 207)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:782)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

============================================================================

Output.log:

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is user@domain.LOCAL

Commit Succeeded

Hi Deejay,

Did you have this working with another client and it’‘s just failing with Spark? From your logs, it looks like the client is doing the correct behavior, but it’'s failing somewhere with the AuthorizationProvider on the Openfire side. Let me know.

Cheers,

Derek

Also, have you gone through the configuration setup?

http://norman.rasmussen.co.za/dl/sasl-sspi/

Cheers,

Derek

So you still have to patch Openfire(on Windows) to use the new SSO feature in Spark?

papawu wrote:

So you still have to patch Openfire(on Windows) to use the new SSO feature in Spark?

no, cause i tried this today with standard Openfire 3.3.0. It works fine for a user which wasnt logged in with other credentials before. But it didnt launch on startup. Was testing with Vista, maybe that’'s the case.

Wroot,

Is your Openfire server running on Linux?

yes. one more thing, is that i’‘m not using AD and LDAP, just created same user in db, so it’'s not exact SSO environment

I’'m getting the same error as DeeJay. Openfire server 3.3.1 on Windows authenticating to AD LDAP. Spark beta is running under an account logged into the same AD domain. No patches were applied to the server.

Message was edited by: aelix

Do you have any errors from the openfire server that show the exception stack? The LDAP error confuses me a little, since the SASL code changes shouldn’'t have any impact on LDAP queries.

Additionally, can you post your openfire.xml and gss.conf config files? Feel free to redact any sensitive information you want.

I’‘m having the same problem; the error was originally the same but after I went through the steps above I’'m getting a different one:

2007.05.16 14:30:44 Loading plugin saslmechanisms

2007.05.16 14:30:55 Trying to find a user’'s DN based on their username. sAMAccountName: …, Base DN: …

2007.05.16 14:30:55 Creating a DirContext in LdapManager.getContext()…

2007.05.16 14:30:55 Created hashtable with context values, attempting to create context…

2007.05.16 14:30:55 … context created successfully, returning.

2007.05.16 14:30:55 Starting LDAP search…

2007.05.16 14:30:55 … search finished

2007.05.16 14:30:55 In LdapManager.checkAuthentication(userDN, password), userDN is: CN="…",OU="…"… The CN shown was the user’'s display name, not username

2007.05.16 14:30:55 Created context values, attempting to create context…

2007.05.16 14:30:55 … context created successfully, returning.

2007.05.16 14:30:55 Ignoring extra content {}

2007.05.16 14:31:04 Loading plugin saslmechanisms

Here is my conf file (I don’‘t have a gss.conf and the install instructions don’'t mention one, but I did update the java.security file and openfire.xml):

I’'m still not exactly sure how this is supposed to work. I read the documents for the SASL plug-in a while ago which seemed to indicate it was already provided in Openfire 3 and above. Is that not the case (and therefore should we all install it).

The second question is whether it is designed to work in an environment such as mine;

1. We have multiple domains, a root domain and several subdomains.

2. Openfire is configured to connect to a global catalog server on port 3268 which does allow all users in the forest to login.

3. Our Openfire server is in a child domain.

Does the provider assume a single AD domain, or will it be able to cope with my environment

My third and last question is will I need downtime to configure this, or will adding the plug-in result in it re-reading the openfire.xml config file?

Either way, this is definately nolonger a Spark issue (it probably works fine with SSO), more an Openfire config issue.

thanks,

D

I am also having an error with SSO. Here is the debug log from the wildfire 3.3.1 server:

2007.05.16 08:46:13 Trying to find a user’'s DN based on their username. sAMAccountName: doej, Base DN: OU=accounts,DC=ad,DC=mtstravel,DC=com…

2007.05.16 08:46:13 Creating a DirContext in LdapManager.getContext()…

2007.05.16 08:46:13 Created hashtable with context values, attempting to create context…

2007.05.16 08:46:13 … context created successfully, returning.

2007.05.16 08:46:13 Starting LDAP search…

2007.05.16 08:46:13 … search finished

2007.05.16 08:46:13 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“John Doe”,OU=“IS”,OU=“Users”…

2007.05.16 08:46:13 Created context values, attempting to create context…

2007.05.16 08:46:13 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at org.jivesoftware.openfire.ldap.LdapManager.checkAuthentication(LdapManager.java :456)

at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:98)

at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:149)

at org.jivesoftware.openfire.net.SASLAuthentication.doPlainAuthentication(SASLAuth entication.java:444)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :202)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Here is the log from Spark 2.5.3.b1:

SASL authentication failed:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 207)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:782)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Normal authentication works fine. We are using AD. The server and all clients run on windows.

That’'s the same issue as me. From the posts above you need to install the SASL plug-in in Openfire and configure it for your environment (see link above for instructions).

To bad there is not a patch for Openfire on Linux.

I thought there was - but it just seems it’'s Unix clients.

A reason to move to Windows?

Message was edited by: DeeJay

I think there is some confusion in this thread about what SSO is, and what Spark and Openfire support natively, so let me explain a little:

SSO is just a generic term, and dosnt mention any particular technology. Generally speaking, though, SSO is implemented using only a handful of technologies that are all very related. In the Unix world, Kerberos is the back-end with GSSAPI being the protocol used to exchange the keys (the part that lets you sign on multiple times). In the Windows world, Kerberos is still the back end, but it may come up front via GSSAPI, NTLM, SPENGO, or other things, Im sure. What Spark and Openfire have implemented is GSSAPI support.

This means under Unix things work great. The windows world is a bit of a crap shoot, though. Openfire requires a keytab file to work, and takes a bit of setup. Any “out of the box” installations will not work with SSO without getting a keytab from the KDC (or AD server) at this point, and they likely never will with GSSAPI because of the way keytabs work.

However, Windows has its own way of getting this keytab thing, and my understanding is Norman’'s patch implements this (I dont know much about it). This patch is for WIldfire only, though, and Sparks SSO support will not be compatible with it since it is a very specific protocol. This will likely change in the future, but we are not there yet.

From what I can tell, no one in this thread is using GSSAPI, and thus Spark will not work (yet). If you would like to get GSSAPI working, you can do that, and there are some documents on the Wiki explaining how to set that up. http://wiki.igniterealtime.org/display/WILDFIRE/GSSAPI+Authentication The document is a bit old, so depending on what version of Wildfire/Openfire you have, some things may have changed, but the support has been there since 3.0.0.