Hi everyone,
i’m posting the nth post about SSO-related problem, i’m sorry for this but i’m struggling since before COVID pandemic and i’m unable to get the work done.
I’m administrator of a Windows AD, let’s call it MyDomain.it.
We had Openfire and Spark nicely working for years, but after we made AD elevation from 2003 to 2008 the service is not working. I tried several times but i got stuck in a kerberos problem.
My clients are desktop running Windows 7 or Windows 10.
Before writing the details of my installation, i wanted to state that:
- plain auth with AD user credentials works fine
- Spark seems unable to get the Kerberos ticket from the client windows cache (both on W7 and W10)
If i run Windows command “klist” i get the list of all the tickets granted to the user.
If i run the JRE command (both on 1.8.0_181 JRE installed on the client desktop and on 1,8,0_121 JRE inside Spark installation) they try to load the ticket from my user profile and find none.
Running the JRE command “kinit” fails with error:
<<
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn’t match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.(Unknown Source)
I’ve searched and searched, but can’t find the exact meaning of that. It can be a problem related to the so called Pre-authentication, but i don’t know nothing about this.
As far as i can understand, this problem is related completely to client side: i found the problem as soon as i open Spark UI. Even in the Advanced settings, “SSO” tab, Spark tells me that is unabe to load the user Principal.
Is it possibile that the issue is related to Java security?
Can someone tell me if he succeeded and how he did it in setting up Openfire-Spark SSO with AD 2008 or higher and client W7/W10?
Here is how i made the installation (I followed Speedy nice video posted on Oct 2017 on page How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2 - #2 by speedy):
- DNS zone setting
===============
In MyDomain.it DNS zone:
New record => other record => SRV record
* Domain: MyDomain.it (OPPURE mydomain.it)
* Service: _xmpp-client
* Protocol: _tcp
* Priority: 0
* Weight: 5
* Port number: 5222
* Host offering the service: xmpp.MyDomain.it
New record => CNAME (Alias)
* Alias name: xmpp
* FQDN: xmpp.MyDomain.it (OPPURE xmpp.mydomain.it)
* FQDN for target host: record of host offering the service (openfire-srv.mydomain.it)
- Active Directory accounts
=====================
New user for LDAP search
es. ldaplookup@mydomain.it
New user for SSO:
* username “keytab”
* account prop => Account: mark “This account supports Kerberos AES 128 bit encryption”
-
SPN
======-
DOS shell su AD DC with administrator privileges
SPN creation in ADsetspn -S xmpp/xmpp.MyDomain.it@MYDOMAIN.IT keytab
Export del file Keytab
ktpass -princ xmpp/xmpp.MyDomain.it@MYDOMAIN.IT -mapuser keytab@mydomain.it -crypto AES128-SHA1 -pass * -ptype KRB5_NT_PRINCIPAL -out /path/to/xmpp.keytab
-
Viene fuori un output che parla di keysize 73 e dell’algoritmo di cifratura 3 etype 0x11 (AES128-SHA1)
-
Database
=========
USING EMBEDDED -
Installation & setup Openfire
============================
Openfire setup, then after the service is installed open browser to:
http://localhost:9090
Server Settings
* XMPP domain name: MyDomain.it
* Server Host name (FQDN): xmpp.MyDomain.it
Database Settings... none for me
Profile Settings:
* Directory Server (LDAP)
* Server Type: Active Directory
* Host e Port di un DC di mydomain.it
* Base DN: dc=mydomain, dc=it
* Administrator DN: ldaplookup@mydomain.it
- gss.conf
========
copy under: /Path/To/openfire/conf/gss.conf
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.krb5LoginModule required
storeKey true
keyTab="/Path/To/openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
IsInitiator=false
debug=true
realm="MYDOMAIN.IT"
principal="xmpp/xmpp.MyDomain.it";
}
- krb5.ini
========
Copy on Openfire server under C:\Windows\krb5.ini
[libdefaults]
default_realm = MYDOMAIN.IT
[realms]
MYDOMAIN.IT = {
kdc = 3v-ws008-01.mydomain.it
admin_server = 3v-ws008-01.mydomain.it
default_domain = mydomain.it
}
[domain_realms]
mydomain.it = MYDOMAIN.IT
.mydomain.it = MYDOMAIN.IT
- keytab file
==========
Copy xmpp.keytab from step 3. under:
/Path/To/openfire/resources/xmpp.keytab
- Openfire configurations
====================
Server Manager => System Properties => Add new property
* sasl.gssapi.config = /Path/To/openfire/conf/gss.conf
* sasl.gssapi.useSubjectCredsOnly = false
* sasl.realm = MYDOMAIN.IT
Server Settings => Registration & Login => SASL Mechanism
Uncheck everything but “GGSAPI”
-
Restart Openfire Service
====================== -
CLIENT
=========-
Registry
[HKEY_LOCAL_MACHINE]System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
“allowtgtsessionkey”=dword:00000001 -
Spark installation
-
That’s all, launch Spark
Spark Advanced Settings => Tab "SSO"
* mark flag "Use Single Sign-On (SSO) via GSSAPI
* Choose "Use DNS"
tab "General"
* Accept All certificates....
==============================================
As i said, when i open Spark i get the errors described before.
I would be very glad if someone can help me out
Thanks in advance
Max
