Trying to use SSO (WIndows environment)

JCSR · August 20, 2024, 10:29am

I notified you this one in a previous reply:

JCSR · August 20, 2024, 10:37am

OK, I will make all the required changes to implement AES256 and I will tell you how the tests have gone.

JCSR · August 20, 2024, 12:22pm

List of things I have done:

Keytab user. I unchecked “this account supports 128-bit Kerberos AES encryption” option and checked “This account supports 256-bit Kerberos AES encryption”.
I recreated the keybtab file running this command in the DC server:

ktpass -princ xmpp/myxppserver.mydomain.local@MYDOMAIN.LOCAL -mapuser keytab@MYDOMAIN.LOCAL -crypto AES256-SHA1 -pass * -ptype KRB5_NT_PRINCIPAL -out C:\xmpp.keytab

And it returned:

Targeting domain controller: MYDC.dymoain.local
Successfully mapped xmpp/myxmppserver.mydomain.local to keytab.
Password successfully set!
Key created.
Output keytab to C:\xmpp.keytab:
Keytab version: 0x502
keysize 93 xmpp/myxmppserver.mydomain.local@MYDOMAIN.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0x501c1ffe201c904a1873fbfb170907f1855f14bd6d01c8a4f315d93dda55d421)

Finally, I copied this file in the folder “C:\Program Files\Openfire\resources” on the Openfire server and restarted it.

And that’s when I tried to connect spark via SSO. It returned:

org.jivesoftware.smack.sasl.javax.SmackJavaxSaslException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:127)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:202)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:200)
at org.jivesoftware.smack.AbstractXMPPConnection.authenticate(AbstractXMPPConnection.java:897)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginInternal(XMPPTCPConnection.java:382)
at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:638)
at org.jivesoftware.gui.LoginUIPanel.login(LoginUIPanel.java:1273)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:124)
… 12 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
… 14 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getInitialTicket(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
… 21 more

And when I ran spark as administrator, it returned:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized
at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:286)
at org.jivesoftware.smack.AbstractXMPPConnection.lambda$new$2(AbstractXMPPConnection.java:407)
at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.accept(NonzaCallback.java:177)
at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.access$200(NonzaCallback.java:166)
at org.jivesoftware.smack.NonzaCallback.onNonzaReceived(NonzaCallback.java:46)
at org.jivesoftware.smack.AbstractXMPPConnection.parseAndProcessNonza(AbstractXMPPConnection.java:1440)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1700(XMPPTCPConnection.java:131)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1010)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:916)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:939)
at java.lang.Thread.run(Unknown Source)

Last but not least, this is the current Openfire log file.
openfire.log (629.3 KB)

JCSR · August 20, 2024, 12:32pm

I have seen in the Opefire log this error:

But the file exist in that folder:
imagen

Maybe I should use slash instead of backslash in sasl.gssapi.config property? With or without quotation mark?

JCSR · August 20, 2024, 4:29pm

I forgot to change the value of the property sasl.gssapi.config from “C:\Program Files\Openfire\conf\gss.conf” to “C:/Program Files/Openfire/conf/gss.conf” (with the quotation mark), but the openfire log returns now:

speedy · August 20, 2024, 5:01pm

could be a bug, but long shot, check your file and folder permissions.

JCSR · August 21, 2024, 11:01am

I don’t think so, because the folder was created in the installation process by msi spark file and all those folder was added in Program Files.

Regarding my file, in Windows, when you copy a file, not move, it inherits permission of its parent.

Anyhow, and only temporally, I will give full control to Authenticated users to gss.conf file.

speedy · August 21, 2024, 1:51pm

in your gss.conf,
make sure your slashes are correct. they should be like this
keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"

you may just try recreating your gss.conf file from scratch in case it is a permissions or corruption issue…

 com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
    doNotPrompt=true
    useKeyTab=true
	isInitiator=false
	debug=true
    realm="LAB.TEST"
    principal="xmpp/xmpp.domain.com";
};

here is mine for reference

JCSR · August 21, 2024, 4:34pm

All right, we are only going to use forward slashes, never backward slashes, in spite of the fact that Windows only use backward slash in its paths.

But, the first line of my gss.conf was:

com.sun.security.jgss.accept {

And now you tell me I must use this one:

com.sun.security.jgss.krb5.accept {

Is that right?

speedy · August 21, 2024, 5:17pm

I’d use what I provided.

JCSR · August 21, 2024, 6:02pm

To summarize,

The property value of sasl.gssapi.config is:

C:/Program Files/Openfire/conf/gss.conf

Without quotation marks.

The gss.conf file is:

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”
doNotPrompt=true
useKeyTab=true
isInitiator=false
realm=“MYDOMAIN.LOCAL”
principal=“xmpp/myxmppserver.mydomain.local”
debug=true;
};

Without @REALM in principal property.

Then, after configure SSO with “Use DNS”, it returns:

org.jivesoftware.smack.sasl.javax.SmackJavaxSaslException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:127)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:202)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)
	at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:200)
	at org.jivesoftware.smack.AbstractXMPPConnection.authenticate(AbstractXMPPConnection.java:897)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginInternal(XMPPTCPConnection.java:382)
	at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:638)
	at org.jivesoftware.gui.LoginUIPanel.login(LoginUIPanel.java:1273)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:124)
	... 12 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
	at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
	at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	... 14 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication 
	at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
	at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at sun.security.jgss.GSSUtil.login(Unknown Source)
	at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	... 21 more

This happens whether I run Spark as administrator or not.

By the way, in both cases in the SSO tab appears the message : “Spark is unable to find the principal to use for Single-Sign On. This will prevent SSO from working”.

JCSR · August 21, 2024, 6:08pm

By the way, after removing quotation marks from property value of sasl.gssapi.config, there aren’t more erros about: “java.lang.SecurityException: java.io.IOException: “C:\Program Files\Openfire\conf\gss.conf” (No existe tal archivo o directorio)”.
openfire.log (957.7 KB)

speedy · August 22, 2024, 2:08pm

realm is required and is case sensitive. it should be in all caps

JCSR · August 22, 2024, 4:07pm

New test. My gss.conf is:

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”
doNotPrompt=true
useKeyTab=true
isInitiator=false
realm=“MYDOMAIN.LOCAL”
principal=“xmpp/myxmppserver.mydomain.local@MYDOMAIN.LOCAL”
debug=true;
};

So, if I run spark as administrator, the SSO tab display:
imagen

After check "Use Single Sing-On (SSO) via GSSAPI and select “Use DNS”, the login window looks like this:
imagen

Then, when I enter the domain name in the textbox and after click in the login button, it returns:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized
	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:286)
	at org.jivesoftware.smack.AbstractXMPPConnection.lambda$new$2(AbstractXMPPConnection.java:407)
	at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.accept(NonzaCallback.java:177)
	at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.access$200(NonzaCallback.java:166)
	at org.jivesoftware.smack.NonzaCallback.onNonzaReceived(NonzaCallback.java:46)
	at org.jivesoftware.smack.AbstractXMPPConnection.parseAndProcessNonza(AbstractXMPPConnection.java:1440)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1700(XMPPTCPConnection.java:131)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1010)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:916)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:939)
	at java.lang.Thread.run(Unknown Source)

If I try run Spark without any additional right, the SSO tab display:
imagen

Anyway, I check "Use Single Sing-On (SSO) via GSSAPI and select “Use DNS”. When it return to the login windows I have to enter the username and domain. After click in the login button, it returns:

org.jivesoftware.smack.sasl.javax.SmackJavaxSaslException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:127)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:202)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)
	at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:200)
	at org.jivesoftware.smack.AbstractXMPPConnection.authenticate(AbstractXMPPConnection.java:897)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginInternal(XMPPTCPConnection.java:382)
	at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:638)
	at org.jivesoftware.gui.LoginUIPanel.login(LoginUIPanel.java:1273)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:124)
	... 12 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
	at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
	at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	... 14 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication 
	at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
	at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at sun.security.jgss.GSSUtil.login(Unknown Source)
	at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	... 21 more

As usual, thank you very much for your help.

Kind regads.

speedy · August 22, 2024, 8:08pm

the sso check box has to be checked for SSO to work.

JCSR · August 23, 2024, 11:53am

I’m so sorry, I start from scratch with SPARK SSO.

The first time I run spark (as administrator) the login windows is:
imagen

Then I click advanced button, and config in SSO tab these settings:
imagen

After that, the login windows looks like this:
imagen
The username has been autofilled, but the domain name hasn’t.

So, I enter the domain name and click login button, and returns:

org.jivesoftware.smack.SmackException$EndpointConnectionException: Could not lookup the following endpoints: RemoteConnectionEndpointLookupFailure(description='DNS lookup exception for myxmppserver.mydomain.local' exception='java.net.UnknownHostException: myxmppserver.mydomain.local'), RemoteConnectionEndpointLookupFailure(description='DNS lookup exception for mydomain.local' exception='java.net.UnknownHostException: mydomain.local')
	at org.jivesoftware.smack.SmackException$EndpointConnectionException.from(SmackException.java:334)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectUsingConfiguration(XMPPTCPConnection.java:664)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectInternal(XMPPTCPConnection.java:849)
	at org.jivesoftware.smack.AbstractXMPPConnection.connect(AbstractXMPPConnection.java:526)
	at org.jivesoftware.gui.LoginUIPanel.login(LoginUIPanel.java:1253)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

JCSR · August 23, 2024, 12:23pm

nslookup says:

C:\>nslookup myxmppserver.mydomain.local
Servidor:  MYDC.mydomain.local
Address:  10.0.1.2

Nombre:  myxmpserver.mydomain.local
Address:  10.0.1.5


C:\>nslookup mydomain.local
Servidor:  MYDC.mydomain.local
Address:  10.0.1.2

Nombre:  mydomain.local
Address:  10.0.1.2

speedy · August 24, 2024, 4:07pm

the username will prefill if it read its from the ticket, so thats good. the domain part will not auto config, as this is your xmpp domain and not your windows/ad domain.

JCSR · August 24, 2024, 9:24pm

Understood why the domain name is not autofilled.

I know it isn’t the same xmpp domain and windows, although they are the same in my case.

Any suggestions regarding the message: “DNS lookup exception for…” ?

speedy · August 25, 2024, 2:38pm

Are you using mydomain.local in the xmpp
or

xmpp.fqdn --> myxmppserver.mydomain.local

per your previous post, you’ll want to use myxmppserver.mydomain.local