I’d love any advice or expertise on this situation. We’re implementing Openfire here using Windows AD LDAP as the back end for it and haven’t had any real trouble other than the occasional problem with users logons where someone has to log into Spark multiple times before it actually takes their UN/PW. I’ve never seen this for my own account, personally, but I have been there in person when at least 3-4 other users have had the issue. It’s also been reported to me many other times.
On the above, it’s not the same users all the time, and it’s not on the same machines all the time. It can be any machine, any user at any time of day. We only use Spark 2.5.8 and all machines are Windows XP Pro. When the logon fails Spark gives the error “Invalid user name or password.”
We have quite a few staff PC’s that are wireless, but I’ve ruled that out as a source of the problem because the issue also happens on wired machines, and other network services were working at the time of the logon failures. I suspect a Windows 2003 DC that was added at an external location may be the trouble. Our two regular DC’s are here in the same building with all other machines, but our overall organization needed to add the 2003 DC in order to accomodate Exchange 2007 at another location. I’d guess that’s it’s an authentication issue where the PC’s might be using the 2007 DC as a logon server and thus getting timed out.
Any suggestions or info?
check for duplicate IP a multiple entries for the server in DNS.
Unfortunately, that’s not the issue. Only single entries in DNS.
When looking at the “warn.log” file in Openfire’s log directory, I see the following after a failed attempt:
“Caused by: javax.security.sasl.SaslException: PLAIN: user not authorized: username”
I find this error whether the issue deals with a correctly entered user name or an incorrectly entered one. I’ve tried both ways and see failed logon attempts with both correct and incorrect user names.
It’s easy to think it’s just users failing to enter their password correctly, but I’ve sat there looking over users’ shoulders when logging on and had them type out their password in a place where they can see the entirety of what they type and had them copy and paste that into the password field in Spark. I’ve then seen the same user have to do this 6-7 more times with the final one working with no changes to the logon - just hitting the logon button over and over with the same info entered and it finally just takes it. I had someone try between 12-15 times this morning before it finally let them on.
It’s definitely not a connectivity issue between Spark and Openfire because the requests are getting there. Warn.log shows the failures against LDAP. So, I’d make a guess at something funky in the way Openfire deals with windows LDAP, but given that there are also a number of users here who have never once seen the problem (myself included) for their own logon, I’m completely baffled.
I’m now trying to gather a list of those who have never had a problem and those who do have lots of problems with it and see if I can find some common ground in these two groups. I’m just grasping at straws at this point, to be honest.
Windows machines should default to authentication against the nearest DC. You can find out what DC they are authenticating to by entering %logonserver% in the run command. This may help you track the issue.