SSO is no fun :(, please help

Yea I figured we were getting close ;)…Thanks for your time and help mtstravel. Anybody else out there wanna give it a stab?

edit:

It should be noted that everything works as it has for quite sometime even though I have that error - SSO still doesn’t work, you can still log in normally and chat with no problems.

my krb ini file looks like this

<code>[libdefaults]     default_realm = REALM.COM     default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5     default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5     permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]     REALM.COM = {         kdc = kdc1.domain.com         admin_server = kdc1.domain.com         default_domain = domain.com     } [domain_realms]     domain.com = REALM.COM     .domain.com = REALM.COM</code>

where I noticed yours doesn’t have the line admin_server or the section domain_realms.

also, have you checked your keytab entry in active directory (I am assuming you are using AD)? I had problems when there was more then one spn for a username (and me testing over and over kept creating more and more)

log onto a dc and run

#setspn -l username_created_for

I would try and delete it and recreate the keytab

setspn -d xmpp/your.servername.com@YOURDOMAIN username_created_for

then recreate it using the documentation you linked from.

I also had much better luck adding these strings to my spark properties file %userprofile%\spark\spark.properties

<code>ssoMethod=string ssoRealm=string ssoKDC=string ssoAdv=*boolean*</code>

that way it tells spark explicity what to use and it doesn’t have to go searching for a file outside of its dir. also if you do nslookup on the server does it return more then one name (in windows you may have to do it more then once) and do you get the same results on the client?

Ok, I changed the settings in my krb6.ini, I checked my keytab and I did have two entries so I deleted them and recreated my keytab, I deleted the logs for spark and openfire. I then started the server and then started spark. I still get the same error I did as before in spark, but the only log that has an error is the spark log and it gives the error below.

Mar 25, 2008 7:29:35 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

The only thing I didn’t do was change spark.properties because I was unsure of exactly what to do with that. Thanks for the advice j

ssoMethod=manual

ssoRealm=DOMAINNAME.IN.ALL.CAPS

ssoKDC=fqdn.of.your.dc

ssoAdv=true

those are the settings in my spark.properties.

Also check your openfire debug.log as well as error.log and warn.log

the not-authorized was also the problem I was having and it seemed to be related to my dns settings and that my openfire server had multiple names, which kerberos doesn’t like.

I added those options and did see what they do inside spark and the information in there was correct but I still get the error in spark. I checked my dns and there was a duplicate forward record which I deleted and it still didn’t work. I didn’t notice one thing that is odd. If I start spark with nothing but the settings you gave me in the spark.properties file and then type my password in, then hit the “advanced” button set sso, then hit login I can connect. It looks like it’s using sso but isn’t, I assume this is probably just a mistake in the way it appears. Anyway, after much testing the only error in any log is the unauthorized error I mentioned before.

Just out of curiosity, is this generally this difficult to make happen. I’m beginning to feel like a dunce!

Thanks again for the help guys. I’m going to bed, been working on this all day.

The only way I was ever able to get SSO to work is to make sure that the name you gave the chat server during setup matches the Fully Qualified Domain Name of the server which matches the bind name of the server in Active Directory.

For example:

This means that the windows computer name = chatserver

The bind name = chatserver.domain.com

Openfire server name = chatserver.domain.com

AD DNS a record for the server is chatserver.domain.com

This process can be very difficult depending on your AD config. You may have inadvertently complicated things by keeping the default domain .info. MS says that it is not recommended to ever use that as a production domain. I do not know if that will have any bearing on your success here.

I also had a problem where I originally named my chat server chat.tld.com. my clients were all connecting as client.domain.tld.com and when they would connect to openfire, openfire was trying to do a dns lookup for the client using tld.com as the search, and would fail. I have since changed my name to chat.domain.tld.com and now dns lookups can find client.domain.tld.com and sso works.

not sure if this is the case for you. I also had a pretty easy time setting this up on my test server but a very difficult time migrating it to live. good luck and just keep at it.

Well I’ve decided to try this a different way. I’m going to setup a new server and client using vmware and start from scratch with the instructions provided by mtstravel. I’ll let you all know how it goes. Thanks for the help .

I have started over here following your instructions mtstravel and have already hit a snag. When I generated my keytab file it worked but gave the following message:

" WARNING: pType and account type do not match. This might cause problems."

Despite the warning message it did create the keytab. I stopped at this point to ask here if it would cause problems and if I need to fix this before I proceed.

If it is a problem and does need to be fixed before proceeding, what exactly is the issue? The mesage doesn’t really tell me much. Also, do you know what the fix is, if indeed a fix does need to be put in place before proceeding?

I don’t think thats a problem. I did notice when I ran ktpass that was installed on my dc it seemed to be a different version then the resource tools I installed on my computer. the one on my computer didn’t get that message but the one installed on my dc did. I couldn’t tell that it made a difference for a spn.

Well I have followed all the instructions provided by mtstravel and am still having similar issues. When I try to SSO it acts like it is going to work because it takes much longer to give the error. When I check all the logs I get two errors that are related. The first error is in the spark error log and is below:

Apr 3, 2008 10:25:03 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

java.lang.NullPointerException

at org.jivesoftware.smack.XMPPConnection.createPacketCollector(XMPPConnection.java :758)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:51)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

This error is similar to some of the other ones I had but gives no real

indication of what the problem is. Right now it seems like I am very

close to having this working, it seems as though I am just missing one

small piece of the puzzle.

The second error is in the openfire error log and is below:

2008.04.03 10:43:06 [org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHand ler.java:134)

] Closing connection due to error while processing message: <auth mechanism=“PLAIN” xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”>AHNtYXNvbgA=</auth>

java.util.NoSuchElementException

at java.util.StringTokenizer.nextToken(Unknown Source)

at org.jivesoftware.openfire.sasl.SaslServerPlainImpl.evaluateResponse(SaslServerP lainImpl.java:109)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :229)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:173)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at java.lang.Thread.run(Unknown Source)

I have never seen the error from the openfire logs, but I think if I can figure out whey I get that error and can fix it then everything else should work and I should be up and running! Thanks again for the help guys - hope to hear back from you guys soon

in your openfire.xml file what does this line say

<mechs>GSSAPI</mechs>

and what about your <provider> section of the same file?

Well, I finally got it working!! After many hours of painstaking work, blood, sweat and tears I have accomplished what at fist seemed to be impossible. I would like to thank you all once again for taking the time and energy to answer my questions and help me out. I have been using spark and openfire for a while now and although this last hurdle was difficult it was well worth the work and time spent to make it work. So far I think these products are great and the community here is just awesome - thanks again people, words can’t tell you how happy I am to have had your help.

Now all I gotta do is get a working .msi so I can deploy spark to all my clients and have them SSO into the server!

Just remember this is a 2 step process. MSI files can not target the location Spark stores its preferences. You will need a script to create the preferences when the user logs in.

Yea I thought I would need such a script. I am using admin studio to create the .msi so that should take care of the registry setting and krb5.ini right? Then I just need a script to create the spark folder with the spark.properties inside of it correct?

as long as admin studio lets you add the reg setting and krb.ini to the install you should be fine. I als create a Spark folder in the Default User profile and copy the settings file there. I also add the shortcut to all users startup. Then as you stated the script should just create the folder and copy the properties file for each user on login. I attached a sample properties file for SSO. you need a real server name.

Thanks for that mtstravel - I actually got something similar off another post that I changed a bit that will work. You wouldn’t happen to have an example script you could share with me do you? I’ve never actually had to write this type of script as I am generally a linux admin and am now trying to learn windows for work. Thanks again for you help .

just so the answer can be here for the future, what did you do to fix your errors?

as for msi, we deploy 2 msi files, the original from ignite and then a custom one I made. my custom one has reg entries and a custom spark.jar.pack to that spark gets branded. I also discovered the vpn users didn’t get the kerberos tickets refreshed right away so I made a simple script that does net time (the simplest thing I could find to renew kerberos) and then start spark. I copy my script to %SPARKDIR% and then have a login script to copy a shortcut and spark.properties. I do the shortcut at this point since not every user has access so we want to control the shortcut.

**edit - just saw your last post

here is part of login script (don’t know why it has a strike through it

REM This Works for Vista and XP

REM the first line makes a backup and the second line copies the properties

file needed for SSO

move “%userprofile%\Spark\spark.properties”

“%userprofile%\Spark\spark.properties.backup”

copy “file://///tbcsrv903/support$/Instant_Messaging/Development/spark.properties

“%userprofile%\Spark”

here is a windows login script that will work from an Domain Controller:

if not exist “c:\Documents and Settings%username%\Spark\spark.properties” goto :usermd else :dumd

:usermd

md “c:\Documents and Settings%username%\Spark”

xcopy -f -y “%logonserver%\netlogon\Spark\spark.properties c:\Documents and Settings%username%\Spark*.*”

if not exist “c:\Documents and Settings\Default User\Spark\spark.properties” goto :dumd

:dumd

md “c:\Documents and Settings\Default User\Spark”

xcopy -f -y “%logonserver%\netlogon\Spark\spark.properties c:\Documents and Settings\Default User\Spark*.*”

just a note, vista and xp profiles are in different places so use something like this

“%userprofile%\Spark” instead