SSO Error (KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5)

StemenDrew · May 30, 2008, 12:21pm

I work for a local government agency, and am evaluating Openfire for potential use on four of our domains. Among other requirements, usernames/passwords must be handled via LDAP to each domain’s Active Directory, and SSO is a must. All domains have at least one Windows 2003 server. I’m currently using one of the domains for testing in our IT office.

I installed Openfire, configured it to use our LDAP directory, and tested it to make sure that I could log in, send messages, etc. Everything seemed to be working properly at that point. Then I tried to set up SSO via GSSAPI/Kerberos. I encountered several problems along the way, most of which I think that I resolved by searching through previous threads on this forum. Now I’m stumbling upon another issue, and I’m not quite sure what I need to do to fix it.

Whenever I try to log into Spark with SSO enabled, I get an error message: “Unabled to connect using Single Sign-On. Please check your principal and server settings.” Below are log files that might prove helpful for this:

Openfire Warn Log:

2008.05.30 07:35:34 SaslException
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5)]
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:231)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:148)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:133)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:180)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
... 23 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 26 more

Openfire Output:

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:/program files/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/fairsrvr2.domain.example.us@domain.example.us tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
principal is xmpp/fairsrvr2.domain.example.us@domain.example.us
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 17 A3 71 32 0B 6B C3 E4   FB 17 CA C9 81 27 72 CE  ..q2.k.......'r. Added server's keyKerberos Principal xmpp/fairsrvr2.domain.example.us@domain.example.usKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 17 A3 71 32 0B 6B C3 E4   FB 17 CA C9 81 27 72 CE  ..q2.k.......'r. [Krb5LoginModule] added Krb5Principal  xmpp/fairsrvr2.domain.example.us@domain.example.us to Subject
Commit Succeeded

Spark\logs\output.log

Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is astemen@domain.example.us
Commit Succeeded

Spark\logs\error.log

May 30, 2008 8:13:41 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)

c:\windows\krb5.ini (on both the server and the workstation)

[libdefaults]
default_realm = DOMAIN.EXAMPLE.US [realms]
domain.example.us = {
kdc = fairsrvr2.domain.example.us
admin_server = fairsrvr2.domain.example.us
default_domain = domain.example.us
} [domain_realms]
domain.example.us = DOMAIN.EXAMPLE.US
.domain.example.us = DOMAIN.EXAMPLE.US

Does anyone have any suggestions for what I might look at or do to resolve the errors reflected in the Openfire warn log?

Thanks!

Jay · May 30, 2008, 1:40pm

Was SSO ever working for you?

If it was:

Check out the account associated with the kerberos principal for the server. Its likely something changed, like someone reset a password, regenerated a key, or something.

If not:

let us know what steps you took to create the keytab on Openfire, something went wrong.

StemenDrew · May 30, 2008, 4:08pm

No, I’ve never gotten SSO to work with Openfire.

To create the keytab, I did the following:

1 - create the account “xmpp-openfire” in cn=users

2 - change properties, set password never expires, user cannot change password, Use DES encryption types for this account

3 - change password to new password

4 - run “setspn -A xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US xmpp-openfire”

5 - run “ktpass -princ xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US -mapuser xmpp-fairsrvr2 -pass * -ptype KRB5_NT_PRINCIPAL -out jabber.keytab”

6 - run “ktab -k xmpp.keytab -a xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US”

Steps 5 and 6 should be redundant and at least one should work, but neither do. When I use the keytab generated by ktpass, I get the errors I previously specified. If I use the keytab generated by ktab, then I get this:

Openfire warn log:

2008.05.30 11:38:53 SaslException javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))] at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(Unknown Source) at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:231) at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:148) at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:133) at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570) at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299) at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53) at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648) at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80) at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299) at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53) at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648) at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58) at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:180) at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299) at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53) at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648) at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:239) at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:283) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51) at java.lang.Thread.run(Unknown Source) Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31)) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) ... 23 more Caused by: KrbException: Integrity check on decrypted field failed (31) at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(Unknown Source) at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(Unknown Source) at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(Unknown Source) at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(Unknown Source) at sun.security.krb5.EncryptedData.decrypt(Unknown Source) at sun.security.krb5.KrbApReq.authenticate(Unknown Source) at sun.security.krb5.KrbApReq.<init>(Unknown Source) at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source) ... 26 more

Openfire console output:

Openfire 3.5.1 [May 30, 2008 11:38:41 AM]
Admin console listening at:
  http://fairsrvr2.domain.example.us:9090
  https://fairsrvr2.domain.example.us:9091
Starting Monitoring Plugin
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:/program files/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
principal is xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: 70 E0 1B 71 CD C8 72 29   50 37 00 BA 12 BC 3E 84  p..q..r)P7....>.
0010: EF CD 2D C3 8E F9 FB 7A   CF 72 DB 93 10 35 76 56  ..-....z.r...5vV EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4F CA FB D8 2C AF BC A4   89 4C DA 98 6D 2C 0F 83  O...,....L..m,.. EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 52 92 E6 CE 4F B9 D5 C2   89 64 6B DF 32 F8 C1 51  R...O....dk.2..Q
0010: 6E 61 58 9E DC 1A E3 7F   EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A9 91 AE 45 AA 98 7A 1A   48 C8 BD C1 20 9F F0 E7  ...E..z.H... ... EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 45 85 F4 62 EA 19 8C 31   EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 45 85 F4 62 EA 19 8C 31   Added server's keyKerberos Principal xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.USKey Version 1key EncryptionKey: keyType=18 keyBytes (hex dump)=
0000: 70 E0 1B 71 CD C8 72 29   50 37 00 BA 12 BC 3E 84  p..q..r)P7....>.
0010: EF CD 2D C3 8E F9 FB 7A   CF 72 DB 93 10 35 76 56  ..-....z.r...5vV         [Krb5LoginModule] added Krb5Principal  xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US to Subject
Added server's keyKerberos Principal xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.USKey Version 1key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 4F CA FB D8 2C AF BC A4   89 4C DA 98 6D 2C 0F 83  O...,....L..m,..         [Krb5LoginModule] added Krb5Principal  xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US to Subject
Added server's keyKerberos Principal xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.USKey Version 1key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 52 92 E6 CE 4F B9 D5 C2   89 64 6B DF 32 F8 C1 51  R...O....dk.2..Q
0010: 6E 61 58 9E DC 1A E3 7F           [Krb5LoginModule] added Krb5Principal  xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US to Subject
Added server's keyKerberos Principal xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.USKey Version 1key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: A9 91 AE 45 AA 98 7A 1A   48 C8 BD C1 20 9F F0 E7  ...E..z.H... ...         [Krb5LoginModule] added Krb5Principal  xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US to Subject
Added server's keyKerberos Principal xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.USKey Version 1key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 45 85 F4 62 EA 19 8C 31           [Krb5LoginModule] added Krb5Principal  xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US to Subject
Added server's keyKerberos Principal xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.USKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 45 85 F4 62 EA 19 8C 31           [Krb5LoginModule] added Krb5Principal  xmpp/fairsrvr2.domain.example.us@DOMAIN.EXAMPLE.US to Subject
Commit Succeeded

StemenDrew · June 6, 2008, 2:35pm

… bump?