SSO not fuction totaly

Openfire Openfire Support
1

Hi

i’ve got a problem with openfire 4.1.5 + Spark 2.8.3 and SSO.

so i describe infrastructure:

AD Windows 2012 r2 with ad level 2012 r2

Openfire installed on drive E of AD Server

Client Windows 10 + spark 2.8.3

I just configured openfire with AD and of read correctly my AD

Client have this situation:

With krb5.ini SSo

pastedImage_6.png490×547 14 KB

With DNS or setting:

in all 3 case the result not change

This is my gss conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule required

storeKey=true

keyTab=“E:/Openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

isInitiator=false

realm=“domain.LOCAL”

principal=“xmpp/dc1.domain.local”

debug=true;

};

ServicePrincipalNames registrati per CN=xmpp-openfire,OU=Service,OU=dominio,DC=dominio,DC=local:

xmpp/dc1.dominio.local

xmpp/dc1

xmpp/dc1.dominio.local@dominio.LOCAL

KRB5.ini

libdefaults]
default_realm = dominio.LOCAL

[realms]
DOMINIO.LOCAL = {
kdc = dc1.dominio.local
admin_server = dc1.dominio.local
default_domain = dominio.local
}

[domain_realms]
dominio.local= DOMINIO.LOCAL
.dominio.local= DOMINIO.LOCAL

this is my openfire.xml

<?xml version="1.0" encoding="UTF-8"?>

-

-

9090

9091

en

-

GSSAPI

dominio.LOCAL

-

true

-

-

true

5

-

org.jivesoftware.database.EmbeddedConnectionProvider

true

Windows Firewall Disable

Client and Server same Network

on client java is not installed.

i read this guide:

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

SSO Issues (WinSrv2016/Win10Ent w/ Openfire 4.1.0 & Spark 2.8.2)

SSO Configuration

help?

2

make sure you can connect without sso, using your AD credentials. This will rule out a few things first.

Make sure you have debug enabled in openfire…this will provide some needed information as to what the failure is.

also, what are you trying to connect to? whats your xmpp domain?

3

I can connect without sso.

Debug mode in openfire.xml?

Where i enable debug?

I use only internal domain, so my xmpp domain is domain.local.

4

are you using SRV records that point domain.local to something like xmpp.domain.local

fyi…im currently in the group chat.

5

this is error from openfire server

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2017.08.02 17:52:26 org.jitsi.impl.protocol.xmpp.XmppProtocolProvider - Failed to connect/login: Anonymous login failed.

Anonymous login failed.:

at org.jivesoftware.smack.NonSASLAuthentication.authenticateAnonymously(NonSASLAut hentication.java:128)

at org.jivesoftware.smack.XMPPConnection.loginAnonymously(XMPPConnection.java:283)

at org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.doConnect(XmppProtocolProvide r.java:217)

at org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.access$000(XmppProtocolProvid er.java:47)

at org.jitsi.impl.protocol.xmpp.XmppProtocolProvider$1.call(XmppProtocolProvider.j ava:192)

at org.jitsi.impl.protocol.xmpp.XmppProtocolProvider$1.call(XmppProtocolProvider.j ava:187)

at org.jitsi.retry.RetryStrategy$TaskRunner.run(RetryStrategy.java:193)

at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.util.concurrent.FutureTask.run(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201 (Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

and this is debug

2017.08.02 18:02:23 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 71

Queue : [MESSAGE_RECEIVED, ]

2017.08.02 18:02:23 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 71

2017.08.02 18:02:23 org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Constructed trust manager. Number of trusted issuers: 173, accepts self-signed: false, checks validity: true

2017.08.02 18:02:23 org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Constructed trust manager. Number of trusted issuers: 173, accepts self-signed: false, checks validity: true

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslFilter - Adding the SSL Filter tls to the chain

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server[71](no sslEngine) Initializing the SSL Handler

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server[71](no sslEngine) SSL Handler Initialization done.

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslFilter - Session Server71 : Starting the first handshake

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_UNWRAP state

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslFilter - Session Server71: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=50 cap=64: 3C 70 72 6F 63 65 65 64 20 78 6D 6C 6E 73 3D 22…]

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslFilter - Session Server71: Message received : HeapBuffer[pos=0 lim=188 cap=1024: 16 03 03 00 B7 01 00 00 B3 03 03 59 81 F7 8F D6…]

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server71 Processing the received message

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_UNWRAP state

2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_TASK state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_WRAP state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=1243 cap=2115: 16 03 03 04 D6 02 00 00 4D 03 03 59 81 F7 8F 02…]

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_UNWRAP state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Processing the SSL Data

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Message received : HeapBuffer[pos=0 lim=75 cap=1024: 16 03 03 00 46 10 00 00 42 41 04 83 83 6C BC EB…]

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 Processing the received message

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_UNWRAP state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_TASK state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_UNWRAP state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Processing the SSL Data

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Message received : HeapBuffer[pos=0 lim=91 cap=512: 14 03 03 00 01 01 16 03 03 00 50 CB D2 26 22 0F…]

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 Processing the received message

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_UNWRAP state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_WRAP state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=6 cap=8: 14 03 03 00 01 01]

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the NEED_WRAP state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=85 cap=132: 16 03 03 00 50 9E 91 3A 4F 53 90 2F 86 3A 61 D9…]

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the FINISHED state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 is now secured

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 processing the FINISHED state

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 is now secured

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Processing the SSL Data

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Message received : HeapBuffer[pos=0 lim=229 cap=512: 17 03 03 00 E0 B0 6D DB D6 5D AB 5F 29 1F 6C BD…]

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server71 Processing the received message

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Processing the SSL Data

2017.08.02 18:02:24 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 71

Queue : [MESSAGE_RECEIVED, ]

2017.08.02 18:02:24 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 71

2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server71: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=530 cap=1024: 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 27 31…]

2017.08.02 18:02:24 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 71

Queue : [MESSAGE_SENT, ]

2017.08.02 18:02:24 org.quartz.core.QuartzSchedulerThread - batch acquisition of 0 triggers

if how Spark canno send correct password or maybe not send password to openfire.