SSO will not work

Hi,

we have a problem with setting up SSO with Openfire 3.6.2 on Win 2003 with in a Windows Network infrastructure.

The Openfire logs don’t show any thing that is associated with SSO.

Jabber Client is Spark. I have all settings done for SSO but i keep getting this in the error log from Spark.

24.11.2008 11:49:15 org.jivesoftware.spark.util.log.Log warning
WARNUNG: Exception in Login:
not-authorized(401)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Identifier doesn’t match expected value (906))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:75)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 194)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Identifier doesn’t match expected value (906))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
… 9 more
Caused by: KrbException: Identifier doesn’t match expected value (906)
at sun.security.krb5.internal.PAData.(Unknown Source)
at sun.security.krb5.internal.KRBError.(Unknown Source)
at sun.security.krb5.KrbTgsRep.(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
… 12 more

Somebody have an idea whats wrong?

Can you specifically say what you did to enable SSO.

Hi,

i did the folowing:

  1. Created a Kerbersos XMMP SPN

  2. Maped the Kerberos SPN to the User

  3. Created the Keytap file withe the Java Tool (Tryed Windows too)

  4. Created the gss.conf

    1. com.sun.security.jgss.accept {
      > com.sun.security.auth.module.Krb5LoginModule
      > required
      > storeKey=true
      > keyTab=“C:/Openfire/resources/xmpp.keytab”
      > doNotPrompt=true
      > useKeyTab=true
      > realm=“DOMAIN.NET”
      > principal=“xmpp/HOST.SERVER.NET@DOMAIN.NET”
      > debug=true;
      > };

  5. Created a krb5.ini and copyed it to Windows Dir

    1. [libdefaults]
      > default_realm = REALM.NET
      > default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
      > default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
      > permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
      >
      > [realms]
      > BTWORLD.NET = {
      > kdc = dc.*realm.net
      > admin_server = dc.realm.net
      > default_domain = REALM.NET
      > }
      >
      > [domain_realms]
      > domain.com = REALM.NET
      > .domain.com = REALM.NET

Configuerd the fqdn in Openfire…

Do you need any else Information?

This is my guide of the process I used http://www.igniterealtime.org/community/docs/DOC-1616 Depending on the security of your AD you may have to change it a bit. The steps you are missing are the addition of the SASL code to the openfire.xml and the addition of the registry settings to the clients.

OK I’ve forgot these two steps to allude.

But I have done all things like in this tutorial http://www.igniterealtime.org/community/docs/DOC-1362 described.

The steps are very similar to your Tutorial.

I additionally edited the spark.properties and added the following:

xmppHost=host.realm.net
ssoKDC=DC.realm.net
timeout=10
proxyEnabled=false
windowTakesFocus=false
debuggerEnabled=false
ssoRealm=REALM.NET
timeDisplayed=true

But with no success…

the strange thing with the sasl part in the eopenfire.xml is that when I started the server once, my Pasted configcode is away. but in the Web Adminconsole the settings seems Okay to me. Is that normal?

Tried your hint to generate the keytab file an got this message:

WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to jabber.keytab:
Keytab version: 0x502
keysize 70 xmpp/HOST.REALM.NET@REALM.NET ptype 0 (KRB5_NT_UNKNOWN) vno 2 e
type 0x17 (RC4-HMAC) keylength 16 (0xd674041aa42c7b3b0c8ace5d7831ce1c)

tried it anyway but still with no success…

Tried to go completly thru your tut but still… no success…

SPARK LOG:

25.11.2008 13:13:41 org.jivesoftware.spark.util.log.Log warning
WARNUNG: Exception in Login:
not-authorized(401)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)

This is the Raw Sent Packets from Spark:

<stream:stream to=“host” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“host.realm*.net” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
username
usernameTMHD

Received Packets:

<?xml version='1.0' encoding='UTF-8'?>

stream:featuresGSSAPIzlib</stream:features>

<?xml version='1.0' encoding='UTF-8'?>**GSSAPI**zlib

username
usernameTMHD

I have marked Interesting things…

Why I’m not authorized???

.:PUSH:.

No one a Idea?