SSO Setup Problems

Openfire Openfire Support
1

I am trying to setup SSO and can’t get it working at all really. My setup is openfire is installed on a linux machine that is not joined to the domain. my kerberos realm is windows AD. I guess my first question is does the linux machine have to be joined to the domain and openfire running as the user that the keytab is created for?

my second question relates to the documentation, this part confuses me a little:

ktpass -princ xmpp/zeus.example.com@EXAMPLE.COM -mapuser xmpp-zeus.example.com -pass password -out jabber.keytab the only part I have a problem with the is the xmpp after -princktpass -princ xmpp/

I don’t understand what that is a reference to, the rest of it makes sense.

I have setup it up based on this link http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos

after adding the extra parts to the openfire.xml file, I start up openfire and it acts like its a brand new install. shut openfire down and remove those new parts and start it back up and it is back to normal. I am doing this on a test server so I am not afraid of breaking things.

Any help is appreciated.

2

I’m not sure if the machine has to be added to the domain, but when I tried without adding ktpass wasn’t working and when I did , it worked.

As for openfire running as user keytab is created for, its not required. I created a separate user for the keytab but my openfire process runs as daemon user.

If you can tell us the exact errors you get, maybe we can help you more

3

I believe this was my problem. copy and paste into VI omitted a couple of characters. I made some adjustments and its working now. I will come back if I run into more problems.

Thanks.

4

so I got sso working on my test server and then thought I was ready to go on my new server. I used setspn on active directory to delete existing spn bindings for the user and then created a new keytab. I have already done this with the test server and recreated the keytab and it worked fine. Now when I add the SSO stuff to my live server it doesn’t work. Also, nothing shows up in the openfire logs to say why it won’t log me in using sso. I use tcpdump to verify that the connection is even leaving my client, and it is and the request comes to the live server. nothing gets logged on the server regarding sso. the client does have this error though in the warn.log file and it doesn’t mean much to me:

Mar 16, 2008 10:18:57 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

The only differences are my test server is 3.4.5 and my live server is 3.3.1. if you would like to see my openfire.xml just let me know.

edit

this is now what I am seeing in my openfire logs:

2008.03.16 23:26:52 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:95)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:67)

at javax.security.sasl.Sasl.createSaslServer(Sasl.java:491)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :220)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)

at java.lang.Thread.run(Thread.java:619)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.ja va:87)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.jav a:111)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)

at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:78)

… 19 more

Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginMod ule.java:696)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:25)

at java.lang.reflect.Method.invoke(Method.java:597)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)

at javax.security.auth.login.LoginContext.login(LoginContext.java:575)

at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)

at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.ja va:79)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.ja va:79)

… 25 more

Caused by: KrbException: KDC has no support for encryption type (14)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)

at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)

at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)

avax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:95)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:67)

at javax.security.sasl.Sasl.createSaslServer(Sasl.java:491)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :220)