Spark OpenFire SSO/LDAP with Win10 and 2k16 - SASLError using GSSAPI

Dave123 · September 11, 2018, 7:03am

Hi, been at this for over two weeks now and cannot get spark/openfire to work. I’ve tried every guide going on the internet and recreated the keytab file loads of times. Had plenty of errors when logging in but the error below is the most recent and the one I’ve had the most.

Domain: Sapphie. UK
DC: SID-DC01
Application: SID-FS

The Error:

WARNING: Exception in Login:
org. jivesoftware. smack. sasl. SASLErrorException: SASLError using GSSAPI: not-authorized
at org. jivesoftware.smack. SASLAuthentication.authenticationFailed(SASLAuthentication.java:365)
at org.jivesoftware.smack.tcp. XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1052)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:956)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:971)
at java.lang.Thread.run(Unknown Source)

I’m running Spark 2.8.3, openfire 4.2.3 I’ve tried downgrading the Java on both and also adding the java enhanced encryption files for version 8.

Below are my configs:

setspn -S XMPP/sid-fs.sapphire. UK keytab

ktab -k xmpp.keytab -a xmpp/sid.fs.sapphire. UK@SAPPHIRE. UK

ktpass -princ xmpp/sid-fs.sapphire. UK@SAPPHIRE. UK -mapuser keytab@sapphire. UK -crypto AES128-SHA1 -pass * -ptype KRB5_NT_PRINCIPAL -out c:\xmpp.keytab

User Accounts:

User Logon Name:
ldaplookup
User Logon Name (pre-Windows 2000):
ldaplookup

User Logon Name:
xmpp/sid-fs@sapphire. UK
User Logon Name (pre-Windows 2000):
keytab

Both user accounts have suppport for Kerberos AES 128bit and 256 bit encryption tick boxes ticked.

GSS.CONF:

com.sun.security.jgss.accept {
com.sun.security.auth.module.krb5LoginModule
required
storeKey=True
keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”
doNotPrompt=true
useKeyTab=true
realm=“SAPPHIRE. UK”
principal=“xmpp/sid-fs.sapphire. UK@SAPPHIRE. UK”
debug=true;
};

krb5.ini:

[libdefaults]
default_realm = SAPPHIRE. UK
udp_preference_limit = 1
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
allow_weak_crypto = true

[realms]
SAPPHIRE. UK = {
kdc = sid-dc01.sapphire. uk
admin_server = sid-dc01.sapphire. uk
default_domain = sapphire. uk
}
[domain_realms]
sapphire. UK = SAPPHIRE. UK
.sapphire. UK = SAPPHIRE. UK

openFire.xml:

<?xml version="1.0" encoding="UTF-8"?> 9090 9091 en true 5 org.jivesoftware.database.EmbeddedConnectionProvider GSSAPI SAPPHIRE. UK true C:/Program Files/Openfire/conf/gss.conf false true

DNS:

Reverse lookup

141.11.12.6 Pointer(PTR) sid-fs.sapphire. uk
141.11.12.6 Pointer(PTR) xmpp/sid-fs.sapphire. uk
xmpp/141.11.12.6 Host(A) 141.11.12.6

Forward lookup zone -

Sapphire. Uk
SID-FS Host(A) 141.11.12.6
SID-DC01 Host(A) 141.11.12.1
_tcp
_xmpp-client service location [0][0][5222] sid-fs.sapphire. uk
_xmpp-server service location [0][0][5269] sid-fs.sapphire. uk

I’ve added the registry pokes for allowing java and also the extra group policies for allowing the different encrytion types.
AllowTGTSessionkey DWORD = 1

Many thanks for any help someone can give and sorry if i’ve missed anything above

speedy · September 11, 2018, 1:19pm

you may be interested in this.

Ricardo_Xerfan · September 11, 2018, 7:31pm

Hi!

I built this tutorial:

But it’s for FreeBSD. However i’m building a for Windows Server (i already did an ambiente. Working perfectly).

any questions, contact-me. Ricardo Xerfan.

Dave123 · September 12, 2018, 9:38am

Hi Speedy

Thanks for the reply. This was probably the 3rd installation guide I’ve use but anyways, I removed all previous installs and configs and started again. Tried to connect with Spark and had exactly the same error message as original post above. Still at a loss as to what to try next

Cheers

speedy · September 12, 2018, 2:33pm

Today should be a pretty slow day for me. If you want to get a screen share session going, Id be happy to take a look

Dave123 · September 12, 2018, 8:53pm

Hi speedy, would love to but think we ma maybe in different countries with completely different time zones. Im writing this just about to go bed lol.
Also not allowed to connect this network to this internet for security reasons.

speedy · September 12, 2018, 9:14pm

no worries. you may give the video another watch, I think i set it up using window 2016 and windows 10

Alex60 · September 17, 2018, 1:06pm

In the login window in Spark - if you go to Advanced > SSO, does it say 'This will use the Desktop Account for “@” to login to the server?

Also, I know if you have Windows 10 Enterprise and Credential Guard activated, SSO won’t work. (as it can’t get the kerberos ticket)

Dave123 · September 17, 2018, 3:44pm

Hi Alex

Im on annual leave so doing this from memory. I believe it has the domain name after the @ 95% sure. Also I did read about credential guard with Windows 10 so have already done the reading up and turned off in group policy.

Speedy, yes I’ve watched that video a lot of times now and have tried setting up OpenFire on multiple different servers (not at the same time) on the domain. The error message remains the same on the client side. With the key tab domain user account do I set the logon account as xmpp/xmpp@sapphire.uk or just keytab ? So many different guides. Also the video doesn’t mention changing the two java files when using java 8 (Think its the enhanced security/encryption files).

Cheers for help

Dave

speedy · September 17, 2018, 8:34pm

looking at your above file examples, and what I put in the video…you have deviated a good bit.

you have choose to create a keytab file using aes 128, but your krb5.ini is limited to rc4. Because of this, you will not work.

your gss.conf file doesn’t look like in regards to principal being used. this will cause things not to work correctly.

id suggest going over the video again, and doing exactly what I did. It doesn’t look like you followed the video or the compainion guide

Alex60 · September 18, 2018, 9:34am

Here’s some bits I had: Openfire SSO Issue?

Before attempting SSO does LDAP/AD username/password work with spark?

Although I have it now working with CentOS but it’s basically all the same. The principal is super important as that is the dns name that the client HAS to connect with. I’d also recommend doing an ‘A’ record rather than a CNAME record, and double checking the reverse dns ptr entry also shows the fqdn of the principal name.

In my krb5.conf/ini file I wouldn’t include the types (they actually recommend you -dont- include them, unless you need to use older types)

default_tgs_enctypes
              Identifies  the  supported  list of session key encryption types that the client should request when making a TGS-REQ, in
              order of preference from highest to lowest.  The list may be delimited with commas or whitespace.   See  Encryption_types
              in  kdc.conf(5)  for  a  list  of  the  accepted  values  for  this  tag.   The  default value is aes256-cts-hmac-sha1-96
              aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc  des-cbc-md5
              des-cbc-md4,  but single-DES encryption types will be implicitly removed from this list if the value of allow_weak_crypto
              is false.

As such… you might be alright with just the following:

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = SAPPHIRE.UK
[realms]
 SAPPHIRE.UK = {
 }

[domain_realm]
 sapphire.uk = SAPPHIRE.UK
 .sapphire.uk = SAPPHIRE.UK

For gss.conf, I’d have:

com.sun.security.jgss.krb5.accept {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        keyTab="/opt/openfire/resources/xmpp.keytab"
        doNotPrompt=true
        useKeyTab=true
        isInitiator=true
        debug=true
        realm="SAPPHIRE.UK"
        principal="xmpp/openfire.sapphire.uk";
};

Then in system properties in the openfire web console:

sasl.gssapi.config 	 	 	 	/opt/openfire/conf/gss.conf
sasl.gssapi.useSubjectCredsOnly 	 	false
sasl.realm 	 	 	 	 	SAPPHIRE.UK
xmpp.domain					sapphire.uk
xmpp.fqdn					openfire.sapphire.uk

In your configs, I also notice you have a space between SAPPHIRE. and UK - is this intentional on your part?

The other mistake I made was being too impatient for spn/keytab/password changes to replicate around the domain controllers.

If you get desperate (I did!) there’s also a way to run the openfire server in a console mode which shows the dark secrets of the kerberos stuff and where it might be failing! I’ll have to dig the full command up. But hope this kinda helps!

Dave123 · September 26, 2018, 11:49am

Hi Speedy, Many thanks again for helping me with this. I had followed the video exactly and this did not work so started varying things to see if something would work. Anyways, finally got the client to log in using SSO through DNS. Not sure what fixed this, maybe after the 50th install spark/openfire automatically just works (sorry lol). It may have possibly been changing XMPP.FQDN from SID-APP.Sapphire.uk to XMPP.Sapphire.uk, im not sure. Anyways all working now

Just in case this is useful or correct:
DNS
Forward lookup zone:
_xmpp-client Service Location [0][5][5222] xmpp.sapphire.uk
_xmpp-server Service Location [0][5][5269] xmpp.sapphire.uk

Reverse lookup zone
xmpp.sapphire.uk HOST(A) 141.11.12.3

gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”
doNotPrompt=true
isInitiator=false
debug=true
useKeyTab=true
realm=“SAPPHIRE.UK”
principal=“xmpp/xmpp.sapphire.gov.uk@SAPPHIRE.UK”;
};

kb5.ini:

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
default_realm = SAPPHIRE.UK

[realms]
SAPPHIRE.UK = {
kdc = sid-dc02.sapphire.uk
admin_server = sid-dc02.sapphire.uk
default_domain = sapphire.uk
}
[domain_realms]
sapphire.uk = SAPPHIRE.UK
.sapphire.uk = SAPPHIRE.UK

openfire.xml:

<?xml version="1.0" encoding="UTF-8"?> 9090 9091 en true 5 org.jivesoftware.database.DefaultConnectionProvider true GSSAPI c:\Program Files\Openfire\conf\gss.conf net.sourceforge.jtds.jdbc.Driver jdbc:jtds:sqlserver://sid-app.sapphire.uk:2433:/SQLEXPRESS;appName=Openfire not writing that here not writing that here select 1 false false 5 25 1.0

Again speedy, thanks for your help

speedy · September 28, 2018, 12:37am

that error looks to be an issue with your database connection.
try something like this
jdbc:jtds:sqlserver://sqlhostnameOrIP:port:/databasename>;instance=instancename

Dave123 · September 28, 2018, 8:02am

Hey Speedy, not sure why that error is there, must have copied and pasted from the wrong file. That was meant to show the contents of my Openfire.xml. Will paste that below. I had already put exactly what you said above:
jdbc:jtds:sqlserver://sid-app.sapphire.uk:2433:/SQLEXPRESS;appName=Openfire

One thing I forgot to mention. When I managed to get Spark connecting on my client machine I thought it was all working. I started installing on other clients and non worked, all came up with the same error message. I managed to resolve this my installing MIT Kerberos Ticket Manager which I had forgotten I had installed on my machine whilst trying the many attempts to get Spark/OpenFire working. Also Im using the nightly build of spark (2_9_0-20180904 with java). Love the way the logs are now integrated into the program rather than having to open a log file every time.

openfire.xml:

<?xml version="1.0" encoding="UTF-8"?> 9090 9091 en true 5 org.jivesoftware.database.DefaultConnectionProvider true GSSAPI c:\Program Files\Openfire\conf\gss.conf net.sourceforge.jtds.jdbc.Driver jdbc:jtds:sqlserver://sid-app.sapphireuk:2433:/SQLEXPRESS;appName=Openfire a username a password select 1 false false 5 25 1.0