Upgraded AD from 2003 -> 2008, SSO now fails

I haven’t made any changes to my infrastructure or files for 3 years and everything has been working swimmingly. Now, I upgraded my AD Servers to 2008 and even before upgrading the Domain Functional Level with krb5.ini pointing to the new servers, SSO fails.

I am getting this error:

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

So, I have gone through the SSO document again. I re-created the keytab file. I updated the krb5.ini file to show the allowed enctypes:

[libdefaults]

default_realm = CMAOHIO.ORG

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]

CMAOHIO.ORG = {

kdc = cma-srv-ads-01.cmaohio.org

kdc = cma-srv-ads-02.cmaohio.org

default_domain = cmaohio.org

}

[domain_realms]

cmaohio.org = CMAOHIO.ORG

.cmaohio.org = CMAOHIO.ORG

I updated the domain policy to allow for those encryption types (finding that windows 2008 doesn’t do that by default) I updated everything and I still don’t what is going on. Nothing works!

Incidentally, yes, I have the allowTGT… registry key in. These machines have been working for a long time.

I read somewhere that I need a hotfix for windows (KB 951191) but the hotfix system appears to be down and I can’t download it.

I would try the following. in AD for your keytab users, check the enabled DES for this account option. Then I would recreate the keytab file using the java tool.

Actually, I just now got things working so I want to tell you what i did.

I did previously enable DES and reset the keytab file and that caused a whole host of problems including exchange no longer talking to the AD servers and me not able to change my own password.

After I disabled that and then reset the password AGAIN for the xmpp-openfire account and generating a new keytab. Things started working again magically. I don’t know how to explain it but it is now all working.