powered by Jive Software

SSO stopped working today

SSO was working fine for about 2 weeks now and suddenly it stopped working today. The only thing I did was install spark 2.5.8 beta 1 on my box but that is about it and I really can’t blame that. Other than that I haven’t touched the Openfire server.

I am running OpenFire 3.3.3 on a Windows 2003 server using MSSQL database

I run mostly spark 2.5.7 and the one 2.5.8 beta 1

Here is the warning from OpenFire. Hopefully someone can take a look at this and tell me what went wrong… Something changed… just not sure what.

Thanks

2007.10.10 14:39:54 SaslException

javax.security.sasl.SaslException:

GSS initiate failed [Caused by GSSException: Failure unspecified at

GSS-API level (Mechanism level: Invalid argument (400) - Cannot find

key of appropriate type to decrypt AP REP - DES CBC mode with MD5)]

at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(Unknown Source)at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :232)at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:176)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused

by: GSSException: Failure unspecified at GSS-API level (Mechanism

level: Invalid argument (400) - Cannot find key of appropriate type to

decrypt AP REP - DES CBC mode with MD5)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

… 18 more

Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5

at sun.security.krb5.KrbApReq.authenticate(Unknown Source)

at sun.security.krb5.KrbApReq.<init>(Unknown Source)

at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)

… 21 more

|

The error says it cannot decrypt the key, which could mean a few things:

  • The account used to create the server keytab was modified in some way, invalidating the keytab.

  • A new user is attempting to log in, and that user was created with different options (ie: new encryption type)

  • Your java version got switched out, and it dosnt support the encryption type

Turn on debugging in your gss.conf and check the stdout log, it might give more clues, like if it is having trouble with the server or client key.

hmmmm, sorry I didn’t get back to this sooner… i took a vacation day yesterday.

anyways thanks for helping… I am using Openfire 3.3.3 with the included java… so is their a way that could get changed on it? I got teh debugging on and here is what the stout.log looks like. It seems to be working… i think… Hopefully this give more clues to my current problem. I tried login in again after I rebooted the whole server and I still have troubles using SSO. My username always worked and now it doesn’t so I don’t think it has anything to do with a new user logging in, unless I am missing understanding something. I can always try to generate a new keytab to see if that fixes things… seems like since it doesn’t work it can’t hurt

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/tdmi-jabber.tdmi.net@TDMI.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal’s key obtained from the keytab

Acquire TGT using AS Exchange

principal is xmpp/tdmi-jabber.tdmi.net@TDMI.NET

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: (some hex numbers)

Added server’s keyKerberos Principal xmpp/tdmi-jabber.tdmi.net@TDMI.NETKey Version 1key EncryptionKey: keyType=23 keyBytes (hex dump)= (some hex numbers here

added Krb5Principal xmpp/tdmi-jabber.tdmi.net@TDMI.NET to Subject

Commit Succeeded

3859 pool-10-thread-1:( org.red5.server.MainServlet.contextInitialized ) Startup done in: 3859 ms

The more I look at it… maybe I just fooled myself into thinking it work… it seems if you have the password field filled in and then switch to SSO it will log in. Giving you a false sense of accomplishment. I find if i delete the password and then do hte SSO trick it doesn’t work so maybe I never had it set up correctly… ugh… well try and try again I guess.