SSO with OpenFire on Solaris & AD

Brian_C_Huffman · October 10, 2007, 5:30pm

All,

I’ve followed all the directions that I can find and spent time combing the forums and I can’t find the answer to this problem. I’m running OpenFire 3.3.3 on Solaris 8, Spark 2.5.7 on Windows XP. AD is running on Windows2003.

Here’s the important portions of my openfire.xml:

<sasl>

<mechs>GSSAPI</mechs>

<realm>XX.EXAMPLE.COM</realm>

<config>/opt/openfire/conf/gss.conf</config>

<useSubjectCredsOnly>false</useSubjectCredsOnly>

</gssapi>

</sasl>

<classList>org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider< /classList>

</authorization>

</provider>

</jive>

Here’s my gss.conf:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab="/opt/openfire/conf/openfire.keytab"

doNotPrompt=true

useKeyTab=true

realm=“XX.EXAMPLE.COM”

principal=“xmpp/openfire.example.com@XX.EXAMPLE.COM”

debug=true;

};

So, you can see that one interesting thing is that the AD domain has an additional part to it (“XX”). Whereas our UNIX DNS addresses do not.

Here’s what I see in the stdoutt.log:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/openfire/conf/openfire.keytab refreshKrb5Config is false principal is xmpp/openfire.example.com@XX.EXAMPLE.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal’s key obtained from the keytab

Acquire TGT using AS Exchange

principal is xmpp/openfire.example.com@XX.EXAMPLE.COM

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: FD D1 24 65 2E 11 0C 2B 81 D3 16 CB DA 71 0D A9 …$e…+…q…

Added server’s keyKerberos Principal xmpp/openfire.example.com@XX.EXAMPLE.COMKey Version 7key EncryptionKey: keyType=23 keyBytes (hex dump)=

0000: FD D1 24 65 2E 11 0C 2B 81 D3 16 CB DA 71 0D A9 …$e…+…q…

added Krb5Principal xmpp/openfire.example.com@XX.EXAMPLE.COM to Subject

Commit Succeeded

And here’s the error in the warn.log:

2007.10.10 13:10:38 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :220)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:176)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

… 20 more

Can anyone help?

Thanks,

Brian

Jay · October 11, 2007, 2:01pm

Does the client have any messages in its error logs? It almost sounds like the client isnt sending correct credentials. Also, what version of Java are you running on the server?

Brian_C_Huffman · October 11, 2007, 2:25pm

Hmmm…do you mean the two files that are located under c:\program files\spark\logs?

Here’s “error”:

Oct 11, 2007 10:18:40 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Here’s “output” (security related things changed):

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is username@XX.EXAMPLE.COM

Commit Succeeded

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is username@XX.EXAMPLE.COM

Commit Succeeded

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is username@XX.EXAMPLE.COM

Commit Succeeded

This doesn’t look right…that’s not what the principle should be, should it? I don’t have any krb.ini configured on the client - do I need that?

Thanks,

Brian

Brian_C_Huffman · October 15, 2007, 8:48pm

Sorry - Forgot to include the version of Java:

java version “1.6.0_01”

Java™ SE Runtime Environment (build 1.6.0_01-b06)

Java HotSpot™ Client VM (build 1.6.0_01-b06, mixed mode, sharing)

Thanks,

Brian

Jay · October 18, 2007, 1:48pm

On the server, have you tried using Native GSS libraries? Linux and Solaris have this as an option in Java 6, and it might help you out here. Modify the startup script to add the paramater -Dsun.security.jgss.native=true so the java command that starts Openfire.

Information is about halfway though this article:

http://java.sun.com/developer/technicalArticles/J2SE/security/