What am I doing wrong with SSO?

Brad2 · September 28, 2009, 1:32am

Hi Guys,

I’ve installed Openfire 3.6.4, I followed the instructions at…

http://www.igniterealtime.org/community/docs/DOC-1060#Verify%20Your%20Kerberos%2 0Setup

Using Spark 2.5.8 as client, when trying to login using SSO, I get the message “Unable to connect using Single Sign-On. Please check your principal and server settings.”

If I turn off SSO, I can login and connect correctly using my AD login details.

I’ve uninstalled and reinstalled both the server and client and double checked the settings. I’m not sure if the problem is on the server side, or on the client side.

On the client, the Raw sent packets are…

<stream:stream to=“server.domain.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“server.domain.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

adusername

adusername

spark

And the raw received packets are…

<?xml version='1.0' encoding='utf-8'?>

<stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“server.domain.com” id=“b066b6ac” xml:lang=“en” version=“1.0”>
stream:features

GSSAPI

zlib

</stream:features>

<?xml version='1.0' encoding='UTF-8'?>

<stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“server.domain.com” id=“b066b6ac” xml:lang=“en” version=“1.0”>
stream:features

GSSAPI

zlib

</stream:features>

adusername

adusername

spark

In the openfire debug log, I get…

2009.09.28 11:29:40 ConnectionHandler:
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2009.09.28 11:29:43 NIOConnection: startTLS: using c2s
2009.09.28 11:29:47 ConnectionHandler:
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Can someone tell me where I should start debugging?

Brad2 · September 28, 2009, 3:46am

I’ve also followed the instructions here…

http://www.igniterealtime.org/community/docs/DOC-1616

I deleted the original AD user, which was only a “domain user”

Created 2 new users, both now in the “Domain Admins” group. Hopefully they don’t need to be domain admins…

I used 1 user to create the Keytab, and used the other as administrator in the openfire LDAP setup.

Went through and double checked all the settings again, including:

registry entry on clients

krb5.ini on clients and server

gss.conf in conf folder

jabber.keytab in resources folder

sasl config in openfire.xml

Still having the same problem.

What else can I try?

Brad2 · September 28, 2009, 3:50am

And if this helps…

Clients are Vista SP2 + 2 Windows 7 RC

Openfire server is running on Windows 2003 R2

Brad2 · September 29, 2009, 2:40am

Turns out it’s a Vista issue.

Just tried it on XP, and SSO works perfectly.

I tried messing around with Kerberos Encryption, but it just made it worse. I tried both DES-CBC-CRC and DES-CBC-MD5, as suggested in this post

With the encryption changed, Spark couldn’t pick up the username to use for SSO.

Not sure what I changed, but now I can login using SSO if I right-click and run as administrator on Vista. But it still leaves it unusable on our network because users are not local admins.

Does anyone have SSO working on Vista? Or is this a dead end?

keenan_martinez · September 29, 2009, 2:24pm

hey all i was getting the same problem and all it did was change the domain controller name eg domain.name.com to a ip address eg 192.168.10.1 and the SSO worked i don’t know what’s the cause but all the users can SSO and less problems for IT

speedy · September 29, 2009, 7:09pm

It seems like a common problem with sso is that DNS is not set up correctly. You need to be sure that you have an A record (forward) and a PTR record (reverse).

keenan_martinez · September 29, 2009, 7:11pm

Yes we have that setup public and private and still not working