SSO is no fun :(, please help

I work for a midsized manufacturing company here in Lexington KY. When I started here one of things I was tasked with was to find better ways for all the employee’s to communicate, enter Openfire and Spark.

The goals when I started this project were as follows.

1. Install Openfire and have it authenticate with AD.

2. Get SSO working so that they only have to login to Windows for everything to work.

3. Deploy Spark using group policy to all the machines in the building.

So far the only step I have been able to successfully complete is step 1, which brings me here. I have done the following in an attempt to make SSO work. I did everything on this document:

and this one:

I got no errors when doing any of this, everrything seemed to work perfect until I tried to log with Spark and got the error:

“Unable to connect using Single Sign On. Please check your principal and server settings”.

Once I got this I went back and checked every step to make sure I had it right and as far as I can tell I do. I then started to check the error logs and thats when I found this error in the Openfire warn.log:

"Caused by: GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))

at sun.security.jgss.krb5.Krb5NameElement.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getNameElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.getElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.init(Unknown Source)

at sun.security.jgss.GSSNameImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)"

So, after reading this error I thought “well that error makes sense, I must have forgotten to put the krb5.ini file on the server or on the cliet”. What is weird is that when I went to c:\WINDOWS\ krb5.ini was right there in front of my face. So I went and checked the client I was testing with and once again krb5.ini was in the correct place.

This has tottally stumped me, it’s saying it can’t find the file but it is there. Anybody had this happen before, or have any suggestions?

Thanks in advance.

It could be a permissions issue with the krb5.ini. I also attached the doc I use as a guide for 2 successful configs of openfire using SSO.

Thanks for the quick reply mststravel, I’ll checked the permissions and they seem to be correct. Thanks for the link to your guide, I actually went through your guide as well and get the same error.

What OS is the server running on?

Server is Windows 2003 and clients are xp sp2. I did all the registry changes too - are there additionaly registry changes I need to make to the server?

It could be that your krb5.ini is actually configured wrong, not that it can not find it.

Thanks again for the reply. Below is my krb5.ini config:

default_realm = HUNTER.LOCAL

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

HUNTER.LOCAL = {

kdc = hunterdc1.hunter.local

admin_server = hunterdc1.hunter.local

default_domain = hunter.local

}

domain.com = HUNTER.LOCAL

.domain.com = HUNTER.LOCAL

It all looks right to me, but of course I could be wrong.

this is mine:

[libdefaults]
default_realm = DOMAIN.COM
noaddresses = true [realms]
DOMAIN.COM = {
kdc = pdcserver.domain.com
default_domain = domain.com
}

I have changed mine to make it look like yours and still no help, below is what I have now.

default_realm = HUNTER.LOCAL

noaddresses = true

HUNTER.LOCAL = {

kdc = hunterdc1.hunter.local

default_domain = hunter.local

}

This chang did not work so I checked the warn.log again and see the same error, but do not know that is the problem as the log looks the same so it looks like it might be an old error.

I then checked my spark error logs on my client machine and found the error below in the error.log

Mar 25, 2008 1:01:05 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

XMPPError connecting to :5222.: remote-server-error(502) XMPPError connecting to :5222.

– caused by: java.net.ConnectException: Connection refused: connect

at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection. java:830)

at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1276)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:822)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

Hopefully this error will be of more help, it looks to me like it’s being blocked for some reason, but I can login when not using SSO with the same login credintials.

Also, just a general question (possibly a stupid one). I never told spark or openfire where to find krb5.ini, so how does it know where to look for it in the first place? Thanks again for all your help thus far :).

I am not sure but I think windows by default looks in the Windows directory for the krb5.ini. Could you also post a copy of your openfire.xml from your server? Also what program did you use to create your config files (krb5.ini, etc)?

It may be easier to diagnose the issue if you attached the config files you created so we can look at them. Edit them for security as needed.

I used notepad to create my .ini, wasn’t sure if this was right but none of the guides I saw said anything different and I have used notepad bofore for such things so I assumed this would work. Below you will find my openfire.xml file, and below that you will find my gss.conf file as well.

edit: am attaching files now.

thanks again for taking the time to look at this - I’ve been about ready to pull my hair out lol.

I made some minor modifications to the openfire.xml the others looked right except when I downloaded them the had double extensions .ini.txt and .conf.txt. I reattached all 3.

I made some minor modifications to the openfire.xml the others looked right except when I downloaded them the had double extensions .ini.txt and .conf.txt. I reattached all 3.

I donloaded all three of those and replaced what I had with them. I still get the same error when I start spark, but when I look in the spark logs what I see is below:

javax.security.sasl.SaslException: GSS initiate failed

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Identifier doesn’t match expected value (906))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 9 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.PAData.<init>(Unknown Source)

at sun.security.krb5.internal.KRBError.<init>(Unknown Source)

at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 12 more

Mar 25, 2008 2:08:38 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

I also looked at the openfire logs, but none of them seem to have changed.

At this point you may need to put back your encryption strings in the krb5.ini. Also I would clear the logs of the server before each attempt for fresh errors. Have you rebooted after changing the in files as well (both server and client).

Ok, I have put the encryption strings back in, clear the logs for server and client and rebooted both machines. I am still getting the same error in spark. Below are the errors I see in the logs.

spark user logs:

Mar 25, 2008 2:36:46 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

spark logs in program files:

javax.security.sasl.SaslException: GSS initiate failed

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Identifier doesn’t match expected value (906))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 9 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.PAData.<init>(Unknown Source)

at sun.security.krb5.internal.KRBError.<init>(Unknown Source)

at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 12 more

Mar 25, 2008 2:36:46 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

and I don’t have any errors in the openfire server logs, all of those are ok.

Just to check are the server’s debug logs enabled? If not turn them on and try again to generate an error. If spark is throwing these errors there should be something on the server.

I cleared everything out and restarted Openfire and this time it generated some info for the error.log before I tried to log on with spark, the error info is below.

at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)

at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)

2008.03.25 15:21:34 [org.jivesoftware.util.LocaleUtils.getLocalizedString(LocaleUtils.java:435)

]

java.util.MissingResourceException: Can’t find bundle for base name archive-1.0.4_i18n, locale en

at java.util.ResourceBundle.throwMissingResourceException(Unknown Source)

at java.util.ResourceBundle.getBundleImpl(Unknown Source)

at java.util.ResourceBundle.getBundle(Unknown Source)

at org.jivesoftware.util.LocaleUtils.getLocalizedString(LocaleUtils.java:431)

at org.jivesoftware.util.LocaleUtils.getLocalizedString(LocaleUtils.java:398)

at org.jivesoftware.admin.AdminConsole.getAdminText(AdminConsole.java:221)

at org.jivesoftware.admin.SidebarTag.doEndTag(SidebarTag.java:214)

at org.jivesoftware.openfire.admin.decorators.main_jsp._jspx_meth_admin_sidebar_0( main_jsp.java:316)

at org.jivesoftware.openfire.admin.decorators.main_jsp._jspService(main_jsp.java:1 67)

when I started spark and tried it I still got the same error but no information in the error logs.

I am sorry to say we are starting to reach the end of my knowledge level. That last error has me more than a little confused. maybe one of the other community members or a jive staff member can help further. I am sorry I could not resolve this for you.