SSO with Openfire 3.3.1 and spark 2.5.3b1

I am trying to configure openfire and spark for SSO. My openfire 3.3.1 server is running on windows, Spark 2.5.3b1 is also windows. Authentication is via Active Directory.

I have installed the sasl in my Openfire 3.3.1 on windows server. I think it is configured correctly, but I still can not login via SSO. Regular login methods still work fine. The users all use spark on windows, and the server is also on windows. I am at a loss here. This is my new openfire.xml:

]]>

cn

mail

cn

member

description

false

(objectClass=group)

org.jivesoftware.openfire.ldap.LdapVCardProvider

org.jivesoftware.openfire.ldap.LdapUserProvider

org.jivesoftware.openfire.ldap.LdapAuthProvider

org.jivesoftware.openfire.ldap.LdapGroupProvider

org.jivesoftware.openfire.sasl.StrictAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationPolicy

true

true

This is my openfire error log:

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2007.05.17 07:37:10 [org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvi der.java:679)
]

java.lang.NullPointerException

at org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvid er.java:670)
at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.jav a:99)
at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:184)
at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(Gro upCollection.java:102)
at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupColle ction.java:65)
at org.jivesoftware.openfire.roster.RosterManager.hasMutualVisibility(RosterManage r.java:862)
at org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:132)
at org.jivesoftware.openfire.roster.RosterManager.getRoster(RosterManager.java:92)
at org.jivesoftware.openfire.handler.PresenceUpdateHandler.broadcastUpdate(Presenc eUpdateHandler.java:257)
at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateH andler.java:100)
at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateH andler.java:88)
at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateH andler.java:151)
at org.jivesoftware.openfire.PresenceRouter.handle(PresenceRouter.java:123)
at org.jivesoftware.openfire.PresenceRouter.route(PresenceRouter.java:69)
at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:75)
at org.jivesoftware.openfire.net.StanzaHandler.processPresence(StanzaHandler.java: 306)
at org.jivesoftware.openfire.net.ClientStanzaHandler.processPresence(ClientStanzaH andler.java:85)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:231)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:153)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

This is the openfire debug log when spark trys to connect with SSO:

2007.05.17 08:54:43 Trying to find a user’'s DN based on their username. sAMAccountName: johnd, Base DN: OU=accounts,DC=ad,DC=*********,DC=com…

2007.05.17 08:54:43 Creating a DirContext in LdapManager.getContext()…

2007.05.17 08:54:43 Created hashtable with context values, attempting to create context…

2007.05.17 08:54:43 … context created successfully, returning.

2007.05.17 08:54:43 Starting LDAP search…

2007.05.17 08:54:43 … search finished

2007.05.17 08:54:43 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“John Doe”,OU=“IS”,OU=“Users”…

2007.05.17 08:54:43 Created context values, attempting to create context…

2007.05.17 08:54:43 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.InitialContext.<init>(Unknown Source)

at javax.naming.directory.InitialDirContext.<init>(Unknown Source)

at org.jivesoftware.openfire.ldap.LdapManager.checkAuthentication(LdapManager.java :456)
at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:98)
at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:149)
at org.jivesoftware.openfire.net.SASLAuthentication.doPlainAuthentication(SASLAuth entication.java:444)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :202)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

I am now using spark 2.5.3 final release and still can not get SSO to work with the Openfire server. To recap all our components are:

Spark 2.5.3 for windows

Openfire 3.3.1 on windows XP pro

Any help would be appreciated. If a step by step is available even better.

SSO is very new to Spark, and though its been in Openfire for a while now it was implemented with Unix in mind. That said, it does work on WIndows, but there is no step-by-step guide that will work for everyone. But this might come close:

http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos

It ties together some documentation I wrote with the experiences a few others have had.

But off the bat here are a few tips for you:

Install the Windows Resource Kit to get the klist.exe command. That will help you debug problems.

Your realm looks odd to me. Maybe you are just obscuring it, but generally the realm is based off some DNS entry, and will have one or more dots in it. Thats not an absolute rule, though.

In the mechs list, you need GSSAPI, not NTLM. The support in Spark and Openfire is for GSSAPI. There is a third-party patch for Openfire that will do NTLM, but thats a whole separate thing.

Debugging can get really messy with this. Sometimes the easist way to do it is to disable all SSL and use tcpdump (or WinDump, or some other TCP packet capture tool) and watch the exchange.

Oh- one other thing. The provider names change from 3.3.0 to 3.3.1. Change

org.jivesoftware.openfire.sasl.StrictAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationPolicy

to

org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationPolicy

These will change again in the future, as the logic behind them in the current versions is not very good.

Hi SP… we’‘ve got a strange problem with SSO and can’‘t seem to get it to work… except for one user account on one box. It seems I can only get SSO to work when I log onto the Openfire server itself as jadmin (jadmin is both a domain administrator and an Openfire administrator account). When I log into the Openfire server desktop and launch Spark 2.5.3 with SSO, it works. However, when I log onto any other box (workstation, other servers) using the jadmin domain administrator account, SSO does not work. I’'m thinking there is something seriously wrong with my setup. Might it have something to do with the fact my JIDs are user@mydomain.com while my internal fqdn is different?

I’'ve read the following posts and tried to understand them as best as I could:

http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos

http://www.igniterealtime.org/forum/thread.jspa?threadID=26606&tstart=375

http://www.igniterealtime.org/forum/thread.jspa?messageID=148242&#148242

I am not using the startup BAT files referenced in one of the posts, should I be? I’'m also not sure if I need SRV records or how to go about ensuring they are correct.

Here’'s our setup:

• Openfire 3.3.1 on Windows Server 2003 SP2 domain member, host name: jhost.mydomain.NET

• Openfire configured Server Name: jabber.mydomain.COM

• Spark 2.5.3 client on Windows Server 2003 SP2 Terminal Server (domain member)

• Openfire using LDAP to Active Directory

• Openfire running as Windows service under domain account: mydomain.net\openfire

• Openfire host server and all client machines have JRE 6 installed with JCE

• Created keytab file using ktpass util, version 5.2.3790.3959:

ktpass -princ xmpp/jhost.mydomain.net@MYDOMAIN.NET -mapuser openfire@mydomain.net -pass xxxxxxxx -out jabber.keytab

• Is the WARNING and KRB5_NT_UNKNOWN normal ? :

Targeting domain controller: kdcserv.mydomain.net

Using legacy password setting method

Successfully mapped xmpp/jhost.mydomain.net to openfire.

WARNING: pType and account type do not match. This might cause problems.

Key created.

Output keytab to jabber.keytab:

Keytab version: 0x502

keysize 81 xmpp/jhost.mydomain.net@MYDOMAIN.NET ptype 0 (KRB5_NT_UNKNOWN) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0x16e4e111f29a8fa04d8bf546fafe5919)

• When I run “klist tickets” I see (not xmpp/jhost.mydomain.net ?):

  Server: host/jhost.mydomain.net@MYDOMAIN.NET
  

KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

End Time: 6/17/2007 3:16:13

Renew Time: 6/17/2007 3:16:13

• Created PTR record for jhost.mydomain.net in DNS

• Set “openfire” domain account to “User cannot change password”

• Set “openfire” to enable “Password never expires”

• Set “openfire” to enable “Use DES encryption types for this account”

• Set “openfire” delegation to “Trust this user for delegation to any service (Kerberos only)”

• After running ktpass, “openfire” account “User logon name” was set to: xmpp/jhost.mydomain.net

• I checked NTFS file perms for “openfire” domain account access to jabber.keytab file on Openfire host and they’'re good

• I updated the regsitry on the spark terminal server: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters allowtgtsessionkey (1)

• Here is my gss.conf file:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files/Openfire/conf/jabber.keytab”

doNotPrompt=true

useKeyTab=true

realm=“MYDOMAIN.NET”

principal="xmpp/jhost.mydomain.net@MYDOMAIN.NET"

debug=true;

};

• I added the

• And still, I can use SSO with the jadmin user account if I log directly into the host running Openfire and launch spark from there. Oddly enough though, SSo does not work on the same host using a typical domain user account.

• On any host I can still log in with jadmin or any standard domain user by using spark and standard username/password entry.

ishmell,

Please post a new thread with your question.