powered by Jive Software

SSO not quite working

I am trying to get SSO working. In debug I get this error when trying to loging afterfollowing the SSO wiki. Everything checks out ok but obviosly missed something simple, any ideas

java.io.IOException: Connection reset by peer

at sun.nio.ch.FileDispatcher.read0(Native Method)

at sun.nio.ch.SocketDispatcher.read(Unknown Source)

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:208)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:188)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProce ssor.java:44)

at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:471)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:39)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

========

Spec

KDC = Windows 2003 also its the PDC

Openfire runing on debian as xmpp-comms user


Output

$ klist

Ticket cache: FILE:/tmp/krb5cc_5001

Default principal: xmpp-comms@SHS.WILTS.SCH.UK

Valid starting Expires Service principal

10/12/07 13:45:21 10/12/07 23:45:15 krbtgt/SHS.WILTS.SCH.UK@SHS.WILTS.SCH.UK

renew until 10/13/07 13:45:21

Kerberos 4 ticket cache: /tmp/tkt5001

klist: You have no tickets cached


Secctions from my openfire.xml

<sasl>

<mechs>GSSAPI,CRAM-MD5,DIGEST-MD5</mechs>

<realm>SHS.WILTS.SCH.UK</realm>

<gssapi>

<!-- GSSAPI needs its own config file -->

<config>/opt/openfire/conf/gss.conf</config>

<useSubjectCredsOnly>false</useSubjectCredsOnly>

<debug>true</debug>

</gssapi>

</sasl>

cat conf/gss.conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

useKeyTab=true

keyTab="/opt/openfire/conf/xmpp-comms.new.keytab"

doNotPrompt=true

realm=“SHS.WILTS.SCH.UK

principal="xmpp/xmpp-comms@SHS.WILTS.SCH.UK"

storeKey=true

debug=true;

};

CLients used spark 2.5.7 and pandion

Neither work

Thanks for you help in advance

I would question the validity of your keytab. I would recommend simplifying the name of that file for one. Try using this code:

ktpass -princ xmpp/SHS.WILTS.SCH.UK@SHS.WILTS.SCH.UK -mapuser UserName -pass XXXXXXXXXX -out jabber.keytab

Replace UserName with the username of an LDAP user you want to associate the keytab.

The wiki is deprecated. Get the current documentation at SSO Configuration. Also, to view the keytab on a Linux/Unix system, use the klist command like this:

klist -kt /opt/openfire/conf/xmpp-comms.new.keytab

Also, the error you are showing I do not think has anything to do with SSO. If you turn SSO off (and change nothing else) does it work?

Hi, I’m also having a similar problem with SSO. I’ve configured everything as required and have used the Smack Debug tool in Spark to see what’s happening.

During a login, it appears that two packets are sent out. One is a get packet with the payload:

<iq id=“1eBcD-5” type=“get”>

<query xmlns=“jabber:iq:auth”>

<username>jabbertestuser</username>

</query>

</iq>

The second sent packet is a set packet with the payload:

<iq id=“1eBcD-6” type=“set”>

<query xmlns=“jabber:iq:auth”>

<username>jabbertestuser</username>

<password/>

<resource>spark</resource>

</query>

</iq>

Following this, two packets are received, the first a result packet which contains:

<iq id=“1eBcD-5” type=“result”>

<query xmlns=“jabber:iq:auth”>

<username>jabbertestuser</username>

<password/>

<resource/>

</query>

</iq>

Which is followed by the final packet, which is an error packet containing:

<iq id=“1eBcD-6” to=“jabber-server.local/f3f5f209” type=“error”>

<query xmlns=“jabber:iq:auth”>

<username>jabbertestuser</username>

<password/>

<resource>spark</resource>

</query>

<error code=“401” type=“AUTH”>

<not-authorized xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”/>

</error>

</iq>

Anyone got any suggestions? I’m at a loss as to what’s going wrong here.

Any help gratefully received.

Kris

Try this new FAQ for setting up SSO with Openfire. It’s what worked for me after everything else failed so I documented it for others.

HOWTO: SSO Configuration for Windows (Server and Clients) and Mac Clients

Let me know if this helps.

Poppa

Poppa

Thanks for your suggestion - I’ll follow your advice and let you know how I

fare.

Kind regards,

Kris

Kristoffer Marc Getchell

kris@getchell.co.uk

From: Poppa Smurf forums@jivesoftware.com

Date: Mon, 26 Nov 2007 15:53:20 -0600

To: Kristoffer Getchell kris@getchell.co.uk

Subject: New message: "SSO not quite

working"[1jT6jU-4M6-FVq]

Kristoffer Getchell,

A new message was posted in the thread “SSO not quite working”:

http://www.igniterealtime.org/community/message/161164

Author : Poppa Smurf

Email : netmodem@timesfreepress.com

Profile : http://www.igniterealtime.org/community/people/Poppa Smurf

Message: