SSO issues with Openfire 3.3.2/Spark2.5.3

Openfire Openfire Support
1

I am attempting to configure a test bed server to use SSO with Spark client. My client uses SSO fine with an Openfire 3.3.1 server, but fails with the 3.3.2 server. Both the clients and the server are on windows machines.

Keytab generation log:

U:>ktpass /princ xmpp/mts-development@AD.MTSTRAVEL.COM /mapuser tasks@ad.mtstra

vel.com /pass * /out jabber.keytab

Targeting domain controller: mts1.ad.mtstravel.com

Successfully mapped xmpp/mts-development to tasks.

Type the password for xmpp/mts-development:

Type the password again to confirm:

Key created.

Output keytab to jabber.keytab:

Keytab version: 0x502

keysize 64 xmpp/mts-development@AD.MTSTRAVEL.COM ptype 1 (KRB5_NT_PRINCIPAL) vno

4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x97a4fd3852372acd)

Account tasks has been set for DES-only encryption.

Here is my gss.conf:

com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab=“C:/Program Files/Openfire/resources/jabber.keytab” doNotPrompt=true useKeyTab=true realm=“AD.MTSTRAVEL.COM” principal=“xmpp/mts-development.ad.mtstravel.com@AD.MTSTRAVEL.COM” debug=true; };

Here are my error logs:

Spark Errors:

javax.security.sasl.SaslException: GSS initiate failed Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 9 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 12 more

Caused by: KrbException: Identifier doesn’'t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

… 17 more

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Openfire error Logs:

There is nothing in the error logs of the server, which I find odd.

2

Openfire server now showing this in debug log (no changes have been made):

2007.07.03 16:02:04

java.io.IOException: An existing connection was forcibly closed by the remote host

at sun.nio.ch.SocketDispatcher.read0(Native Method)

at sun.nio.ch.SocketDispatcher.read(Unknown Source)

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:232)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:206)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProce ssor.java:44)

at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:506)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2007.07.03 16:02:04

java.io.IOException: An existing connection was forcibly closed by the remote host

at sun.nio.ch.SocketDispatcher.read0(Native Method)

at sun.nio.ch.SocketDispatcher.read(Unknown Source)

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:232)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:206)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProce ssor.java:44)

at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:506)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2007.07.03 16:02:04

java.io.IOException: An existing connection was forcibly closed by the remote host

at sun.nio.ch.SocketDispatcher.read0(Native Method)

at sun.nio.ch.SocketDispatcher.read(Unknown Source)

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:232)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:206)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProce ssor.java:44)

at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:506)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Message was edited by: mtstravel

3

server not found in kerberos database is the error you get when something asks the kdc for something the kdc knows nothing about. Double check all your dns entries. The “Unknown Link Type” error is new to me. What version of Java (server and client)?

4

Java is 6.0.1. I will check my other settings. Does the keytab need to be called jabber.keytab? Can I call it something else? Can there be more than one jabber.keytab?

5

No, it dosnt need to be named jabber.keytab, but openfire.xml references a config file (by convention we have been calling it gss.conf- you can also rename that) and in that config file it has the path to the keytab. Just make sure the name matches.

You cannot specify multiple keytabs, only one service principal is supported at this time anyway. You can put multiple keys into one keytab, though- so if we do get support for multiple service principals (ie- multi-homed hosts) multiple files will not be needed and likely not supported since that would require changes to Java itself.

6

I was asking about multiple keytabs in the sence that I am going to have 2 different servers running. They will have different names in AD. I think therefore they must have different keytabs generated, correct? I need only one keytabe per physical machine. I need a testbed server so I am not using my production server to test updates.

7

If you have two seperate servers, you will have two seperate keys, so there should be no problem there. You cannot use the same key for multiple servers, and thus you cannot use the same AD account for the service principal. Generating a key with the ktpass command will invalidate any previously created key.

8

So how do I generate a new key with ktpass if it will invalidate the old one?

9

You need to create a new user to generate a second key. You used the user “tasks” before I see, so make a new one ( “tasks-dev” ??) and generate the second keytab with that user.

10

I thought that would work and have already created a new user. Your previous comment just got me a little wary.

11

What I mean is a given principal can only have one key (per encryption type) at one time. Windows maps users to principals in a one to one fashion, and generally only with one encryption type, so you get one key per user.