powered by Jive Software

SSO/Kerberos stopped working after upgrade to latest Spark version

Hello,

After upgrading a few of my client computer images with the latest Spark version Kerberos SSO ceased to work with some obscure Java kerberos failure. I have feeling something was changed between Java 7 and 8, breaking things. I’ve double checked the service principal name for openfire and it all seem correct. I’ve tried almost everything I can think of without much success.

Spark 2.8.1

openfire 4.0.2

nov 25, 2016 3:49:15 EM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

java.lang.IllegalArgumentException: Empty nameStrings not allowed

at sun.security.krb5.PrincipalName.validateNameStrings(Unknown Source)

at sun.security.krb5.PrincipalName.(Unknown Source)

at sun.security.krb5.PrincipalName.parse(Unknown Source)

at sun.security.krb5.internal.KRBError.init(Unknown Source)

at sun.security.krb5.internal.KRBError.(Unknown Source)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASL JavaXMechanism.java:120)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 236)

at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginNonAnonymously(XMPPTCPConnect ion.java:374)

at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java :456)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1099)

at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:335)

at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:869)

at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:142)

at java.lang.Thread.run(Unknown Source)

Have you tried this?SSO (Single Sign On) configuration changes since Spark 2.8.0

I tried that already. I figured adding all the SPN’s to the keytab file for troubleshooting wouldn’t break it more so here is my keytab

1 xmpp/srv1.example.com@EXAMPLE.COM (des-cbc-crc)

1 xmpp/srv1.example.com@EXAMPLE.COM (des-cbc-md5)

1 xmpp/srv1.example.com@EXAMPLE.COM (arcfour-hmac)

1 xmpp/example.com@EXAMPLE.COM (des-cbc-crc)

1 xmpp/example.com@EXAMPLE.COM (des-cbc-md5)

1 xmpp/example.com@EXAMPLE.COM (arcfour-hmac)

1 xmpp/xmpp.example.com@EXAMPLE.COM (des-cbc-crc)

1 xmpp/xmpp.example.com@EXAMPLE.COM (des-cbc-md5)

1 xmpp/xmpp.example.com@EXAMPLE.COM (arcfour-hmac)

Something have broken the client side SSO since I don’t even see openfire trying to decode the client kerberos ticket. Also I tried manually entering the kdc and realm under the SSO tab in Spark, bypassing DNS, to no avail.