I haven’t made any changes to my infrastructure or files for 3 years and everything has been working swimmingly. Now, I upgraded my AD Servers to 2008 and even before upgrading the Domain Functional Level with krb5.ini pointing to the new servers, SSO fails.
I am getting this error:
WARNING: Exception in Login:
SASL authentication failed:
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
So, I have gone through the SSO document again. I re-created the keytab file. I updated the krb5.ini file to show the allowed enctypes:
[libdefaults]
default_realm = CMAOHIO.ORG
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
CMAOHIO.ORG = {
kdc = cma-srv-ads-01.cmaohio.org
kdc = cma-srv-ads-02.cmaohio.org
default_domain = cmaohio.org
}
[domain_realms]
.cmaohio.org = CMAOHIO.ORG
I updated the domain policy to allow for those encryption types (finding that windows 2008 doesn’t do that by default) I updated everything and I still don’t what is going on. Nothing works!