I work for a local government agency, and am evaluating Openfire for potential use on four of our domains. Among other requirements, usernames/passwords must be handled via LDAP to each domain’s Active Directory, and SSO is a must. All domains have at least one Windows 2003 server. I’m currently using one of the domains for testing in our IT office.
I installed Openfire, configured it to use our LDAP directory, and tested it to make sure that I could log in, send messages, etc. Everything seemed to be working properly at that point. Then I tried to set up SSO via GSSAPI/Kerberos. I encountered several problems along the way, most of which I think that I resolved by searching through previous threads on this forum. Now I’m stumbling upon another issue, and I’m not quite sure what I need to do to fix it.
Whenever I try to log into Spark with SSO enabled, I get an error message: “Unabled to connect using Single Sign-On. Please check your principal and server settings.” Below are log files that might prove helpful for this:
Openfire Warn Log:
2008.05.30 07:35:34 SaslException
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5)]
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:231)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:148)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:133)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:180)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
... 23 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 26 more
Openfire Output:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:/program files/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/fairsrvr2.domain.example.us@domain.example.us tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
principal is xmpp/fairsrvr2.domain.example.us@domain.example.us
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 17 A3 71 32 0B 6B C3 E4 FB 17 CA C9 81 27 72 CE ..q2.k.......'r. Added server's keyKerberos Principal xmpp/fairsrvr2.domain.example.us@domain.example.usKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 17 A3 71 32 0B 6B C3 E4 FB 17 CA C9 81 27 72 CE ..q2.k.......'r. [Krb5LoginModule] added Krb5Principal xmpp/fairsrvr2.domain.example.us@domain.example.us to Subject
Commit Succeeded
Spark\logs\output.log
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is astemen@domain.example.us
Commit Succeeded
Spark\logs\error.log
May 30, 2008 8:13:41 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
c:\windows\krb5.ini (on both the server and the workstation)
[libdefaults]
default_realm = DOMAIN.EXAMPLE.US [realms]
domain.example.us = {
kdc = fairsrvr2.domain.example.us
admin_server = fairsrvr2.domain.example.us
default_domain = domain.example.us
} [domain_realms]
domain.example.us = DOMAIN.EXAMPLE.US
.domain.example.us = DOMAIN.EXAMPLE.US
Does anyone have any suggestions for what I might look at or do to resolve the errors reflected in the Openfire warn log?
Thanks!