powered by Jive Software

SSO on OpenFire 3.3.2 Problems

I’m attempting to implement SSO in my environment but can’t seem to figure out what is wrong. Below are my configuration files.

Domain Name: Ad.McbrideAndSon.com

OpenFire Server Name: Pepper

OpenFire Version: 3.3.2

OpenFire Server OS: Windows 2003 Server

Spark Version: 2.5.5

Spark Client OS: WinXP SP2

Username I created in ADUC for Jabber: xmpp-jabber

Runing Klist.exe on client computer


C:\Program Files\Resource Kit>klist tgt

Cached TGT:

ServiceName: krbtgt

TargetName: krbtgt

FullServiceName: jeff.kackley

DomainName: AD.MCBRIDEANDSON.COM

TargetDomainName: AD.MCBRIDEANDSON.COM

AltTargetDomainName: MCBRIDEIDEANDSON.COM

TicketFlags: 0x40e00000

KeyExpirationTime: 256/0/29920 0:103:8048

StartTime: 9/14/2007 8:04:56

EndTime: 9/14/2007 18:04:56

RenewUntil: 9/21/2007 8:04:56

TimeSkew: 9/21/2007 8:04:56-----

Running nslookup on the client machine


C:>nslookup pepper.ad.mcbrideandson.com

Server: dell-dc.ad.mcbrideandson.com

Address: 10.1.1.33

Name: pepper.ad.mcbrideandson.com

Address: 10.1.1.43

C:>nslookup 10.1.1.43

Server: dell-dc.ad.mcbrideandson.com

Address: 10.1.1.33

Name: pepper.ad.mcbrideandson.com

Address: 10.1.1.43


C:\Program Files\Openfire\resources\jabber.keytab was made by the following


C:\keytabs>Ktpass princ xmpp/jabber.ad.mcbrideandson.com@AD.MCBRIDEANDSON.COM ma
puser MCBRIDE\xmpp-jabber -pass passwordhere out xmpp.keytab -ptype KRB5_NT_PR
INCIPAL
Targeting domain controller: dell-dc.AD.McBrideandSon.com
Using legacy password setting method
Successfully mapped xmpp/jabber.ad.mcbrideandson.com to xmpp-jabber.
Key created.
Output keytab to xmpp.keytab:
Keytab version: 0x502
keysize 88 xmpp/jabber.ad.mcbrideandson.com@AD.MCBRIDEANDSON.COM ptype 1 (KRB5_N
T_PRINCIPAL) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0x38ce8e2ddcd3bd78889988
713a7172fc)


C:\Program Files\Openfire\conf\gss.conf


com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files/Openfire/resources/jabber.keytab”

doNotPrompt=true

useKeyTab=true

realm=“AD.MCBRIDEANDSON.COM

principal=“xmpp/jabber.ad.mcbrideandson.com@AD.MCBRIDEANDSON.COM”

debug=true;

};


C:\Program Files\Openfire\conf\openfire.xml


<?xml version=“1.0” encoding=“UTF-8”?>

<!–

This file stores bootstrap properties needed by Openfire.

Property names must be in the format: “prop.name.is.blah=value”

That will be stored as:

<prop>

<name>

<is>

<blah>value</blah>

</is>

</name>

</prop>

Most properties are stored in the Openfire database. A

property viewer and editor is included in the admin console.

–>

<!-- root element, all properties must be under this element -->

<jive>

<adminConsole>

<!-- Disable either port by setting the value to -1 -->

<port>9090</port>

<securePort>9091</securePort>

</adminConsole>

<admin>

<!-- Use this section to define users that will have admin privileges. Below,

you will find two ways to specify which users are admins. Admins will

have access to the admin console (only local users) and may have also access

to other functionalities like ad-hoc commands. -->

<!-- By default, only the user with the username “admin” can login

to the admin console. Alternatively, you can specify a comma-delimitted

list usernames that should be authorized to login to the admin console

by setting the <authorizedUsernames> field below. -->

<!-- <authorizedUsernames></authorizedUsernames> -->

<!-- Comma-delimitted list of bare JIDs. The JIDs may belong to local

or remote users. -->

<!-- <authorizedJIDs></authorizedJIDs> -->

<authorizedUsernames>usernameshere</authorizedUsernames>

</admin>

<locale>en</locale>

<!-- Network settings. By default, Openfire will bind to all network interfaces.

Alternatively, you can specify a specific network interfaces that the server

will listen on. For example, 127.0.0.1. This setting is generally only useful

on multi-homed servers. -->

<!–

<network>

<interface></interface>

</network>

–>

<connectionProvider>

<className>org.jivesoftware.database.EmbeddedConnectionProvider</classN ame>

</connectionProvider>

<ldap>

<host>dell-dc</host>

<port>389</port>

<baseDN>dc=ad,dc=mcbrideandson,dc=com</baseDN>

<adminDN>mcbride*adminunhere*</adminDN>

<adminPassword>passwordhere</adminPassword>

<connectionPoolEnabled>true</connectionPoolEnabled>

<sslEnabled>false</sslEnabled>

<ldapDebugEnabled>false</ldapDebugEnabled>

<autoFollowReferrals>false</autoFollowReferrals>

<usernameField>sAMAccountName</usernameField>

<searchFilter>(objectClass=organizationalPerson)</searchFilter>

<vcard-mapping><![CDATA[

<vCard xmlns=“vcard-temp”>

<N>

<GIVEN></GIVEN>

</N>

<EMAIL>

<INTERNET/>

<USERID></USERID>

</EMAIL>

<FN></FN>

<ADR>

<HOME/>

</ADR>

<ADR>

<WORK/>

<STREET></STREET>

<LOCALITY></LOCALITY>

<REGION></REGION>

<PCODE></PCODE>

<CTRY></CTRY>

</ADR>

<TEL>

<WORK/>

<VOICE/>

<NUMBER></NUMBER>

</TEL>

<TEL>

<WORK/>

<CELL/>

<NUMBER></NUMBER>

</TEL>

<TEL>

<WORK/>

<FAX/>

<NUMBER></NUMBER>

</TEL>

<TEL>

<WORK/>

<PAGER/>

<NUMBER></NUMBER>

</TEL>

<TITLE></TITLE>

<ORG>

<ORGUNIT></ORGUNIT>

</ORG>

</vCard>]]></vcard-mapping>

<nameField>cn</nameField>

<emailField>mail</emailField>

<groupNameField>cn</groupNameField>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<groupSearchFilter>(objectClass=group)</groupSearchFilter>

</ldap>

<provider>

<vcard>

<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className& gt;

</vcard>

<user>

<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className&g t;

</user>

<auth>

<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className&g t;

</auth>

<group>

<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className& gt;

</group>

</provider>

<setup>true</setup>

<!-- sasl configuration -->

<sasl>

<!-- Include a comma-separated list of the authentication mechanisms

to advertise support for to clients. Make sure GSSAPI is listed,

and best if it’s listed first. The order of mechanisms is important;

clients should try to use the first mechanism they support

(although not all will). Some clients will try to use the most

secure first.

You can add other mechanisms in order to support non-GSSAPI clients,

or clients who cannot authenticate to the realm (like Windows 9X,

off-site, and so on). Keep in mind that by allowing other mechanisms

you are compromising the security of your realm. Be sure to talk

to the Security Officer/Directory/Manager/Administrator about any

policies your organization might have before enabling less secure

mechanisms. By removing PLAIN and ANONYMOUS from the list, you will

also disable non-SASL authentications.

Keep in mind that a mechanism listed here might not actually be

advertised, such as when the authProvider can’t support the mechanism.

PLAIN and ANONYMOUS mechanisms also enable non-SASL authentication

(the old style XMPP auth), so removing them from this list will

disallow non-SASL authentication. -->

<mechs>GSSAPI</mechs>

<!-- <mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->

<!-- Specify the realm you used when you created the service principal

and keytab.–>

<realm>AD.MCBRIDEANDSON.COM</realm>

<!-- Mechanism-specific configuration here -->

<gssapi>

<!-- Use true to turn on debugging information. This adds a lot

of noise to your log files, but it can help you spot problems

sooner in the initial setup. -->

<debug>true</debug>

<!-- Specify the location of the GSSAPI configuration file you edited. -->

<config>C:\Program Files\Openfire\conf\gss.conf</config>

<!-- Sets the system property with the same name. You’ll probably want

“false” here (the default). For more details, see

http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html -->

<useSubjectCredsOnly>false</useSubjectCredsOnly>

</gssapi>

</sasl>

<provider>

<authorization>

<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationProvider org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider org.jivesoftware.openfire.ldap.LdapAuthorizationProvider</classList>

<!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy–>

</authorization>

</provider>

</jive>


Registry Entry on th XP SP2 Client


&lt;code&gt;HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberos Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01&lt;/code&gt;

Error Log on OpenFire


2007.09.14 15:58:03 [org.jivesoftware.database.ConnectionPool.<init>(ConnectionPool.java:111)

] Failed to create new connections on startup. Attempt 0 of 3

java.sql.SQLException:

The database is already in use by another process:

org.hsqldb.persist.NIOLockFile@f7cf94a6[file =C:\Program

Files\Openfire\embedded-db\openfire.lck, exists=true, locked=false,

valid=false, fl =null]: java.lang.Exception: checkHeartbeat(): lock

file C:\Program Files\Openfire\embedded-db\openfire.lck is presumably

locked by another process.

at org.hsqldb.jdbc.Util.sqlException(Unknown Source)

at org.hsqldb.jdbc.jdbcConnection.<init>(Unknown Source)

at org.hsqldb.jdbcDriver.getConnection(Unknown Source)

at org.hsqldb.jdbcDriver.connect(Unknown Source)

at java.sql.DriverManager.getConnection(Unknown Source)

at java.sql.DriverManager.getConnection(Unknown Source)

at org.jivesoftware.database.ConnectionPool.createCon(ConnectionPool.java:443)

at org.jivesoftware.database.ConnectionPool.<init>(ConnectionPool.java:88)

at org.jivesoftware.database.EmbeddedConnectionProvider.start(EmbeddedConnectionPr ovider.java:75)

at org.jivesoftware.database.DbConnectionManager.setConnectionProvider(DbConnectio nManager.java:459)

at org.jivesoftware.database.DbConnectionManager.getConnection(DbConnectionManager .java:77)

at org.jivesoftware.util.JiveProperties.loadProperties(JiveProperties.java:271)

at org.jivesoftware.util.JiveProperties.init(JiveProperties.java:70)

at org.jivesoftware.util.JiveProperties.<init>(JiveProperties.java:52)

at org.jivesoftware.util.JiveProperties.getInstance(JiveProperties.java:46)

at org.jivesoftware.util.JiveGlobals.getProperty(JiveGlobals.java:524)

at org.jivesoftware.openfire.XMPPServer.initialize(XMPPServer.java:286)

at org.jivesoftware.openfire.XMPPServer.start(XMPPServer.java:383)

at org.jivesoftware.openfire.XMPPServer.<init>(XMPPServer.java:148)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance0(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.openfire.starter.ServerStarter.start(ServerStarter.java:93)

at org.jivesoftware.openfire.starter.ServerStarter.main(ServerStarter.java:49)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at com.exe4j.runtime.LauncherEngine.launch(Unknown Source)

at com.exe4j.runtime.WinLauncher.main(Unknown Source)

2007.09.14 15:58:33 [org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:165)

] Groups () include non-existent username (usernamehere)

2007.09.14 15:58:33 [org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:165)

] Groups () include non-existent username (usernamehere)

2007.09.14 15:58:33 [org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:165)

] Groups () include non-existent username (usernamehere)

2007.09.14 15:58:33 [org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:165)

] Groups () include non-existent username (usernamehere

)


OpenFire’s Warn Log


007.09.14 16:00:39 SaslException

javax.security.sasl.SaslException:

Failure to initialize security context [Caused by GSSException: Invalid

name provided (Mechanism level: Could not load configuration file

C:\WINDOWS\krb5.ini (The system cannot find the file specified))]

at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :220)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused

by: GSSException: Invalid name provided (Mechanism level: Could not

load configuration file C:\WINDOWS\krb5.ini (The system cannot find the

file specified))

at sun.security.jgss.krb5.Krb5NameElement.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getNameElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.getElement(Unknown Source)

at sun.security.jgss.GSSNameImpl.init(Unknown Source)

at sun.security.jgss.GSSNameImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)

… 20 more


After configuring Spark to use SSO it recogonizes the logged in username and the loading circle goes around a few times before prompting the message box "Unable to connect using Single Sign-On. Please check your principal and server settings.


After looking at the warn logs it made me realize I needed to put a krb5.ini on the OpenFire server, so I did so

C:\Windows\krb5.ini (not positve I set this up correctly, dell-dc is a domain controller so I’m assuming i set KDC to it?)


default_realm = AD.MCBRIDEANDSON.COM

AD.MCBRIDEANDSON.COM {

kdc = dell-dc.ad.mcbrideandson.com

admin_server = dell-dc.ad.mcbrideandson.com

default_domain = ad.mcbrideandson.com

}

ad.mcbrideandson.com = AD.MCBRIDEANDSON.COM

.ad.mcbrideandson.com = AD.MCBRIDEANDSON.COM


This is the output that the OpenFire Server Console Gives Me


Openfire 3.3.2

Admin console listening at:

http://pepper:9090

https://pepper:9091

Index opened.

Index thread started.

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/jabber.ad.mcbrideandson.com@AD.MCBRIDEANDSON.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal’s key obtained from the keytab

Acquire TGT using AS Exchange

authentication failed

Cannot get kdc for realm AD.MCBRIDEANDSON.COM

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/jabber.ad.mcbrideandson.com@AD.MCBRIDEANDSON.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal’s key obtained from the keytab

Acquire TGT using AS Exchange

authentication failed

Cannot get kdc for realm AD.MCBRIDEANDSON.COM


Here is the Warn Log from OpenFire after I attempted to logon with Spark via SSO (Cleared Before Logon Attempt, Copied Log Immediatly After)


at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :220)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

… 20 more

Caused by: javax.security.auth.login.LoginException: Cannot get kdc for realm AD.MCBRIDEANDSON.COM

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$5.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

… 26 more

Caused by: KrbException: Cannot get kdc for realm AD.MCBRIDEANDSON.COM

at sun.security.krb5.KrbKdcReq.send(Unknown Source)

at sun.security.krb5.KrbKdcReq.send(Unknown Source)

at sun.security.krb5.KrbAsReq.send(Unknown Source)

at sun.security.krb5.Credentials.sendASRequest(Unknown Source)

at sun.security.krb5.Credentials.acquireTGT(Unknown Source)

… 42 more