powered by Jive Software

Windows SSO Kerberos not working

We are now playing with Kerberos since a couple of days and got some steps working. But the authentication via SSO within Openfire is still not working completly.

Openfire (3.7.0) is running on Windows Server 2008 R2 (64bit)

KDC is a Windows Server 2008 R2 (64bit)

Client (Spark 2.6.1.12532) is running on Windows 7

Active-Directory-Domain-Name: noerr.local

KDC: m-dc01.noerr.local

OpenFire-Server: m-im01.noerr.local

Active-Directory-User for Kerberos: xmpp-openfire

Settings for this user: “user cannot change password”, “password never expires”, “use kerberos DES encryption types for this account”, “do not require kerberos preauthentication”

What we have done so far:

On KDC

setspn -A xmpp/m-im01.noerr.local@NOERR.LOCAL xmpp-openfire
Registering ServicePrincipalNames for CN=OpenFire AD Kerberos Service Account,OU=ServiceAccounts,OU=Global,DC=noerr,DC=local
xmpp/m-im01.noerr.local@NOERR.LOCAL
Updated object

ktpass -princ xmpp/m-im01.noerr.local@NOERR.LOCAL -mapuser xmpp-openfire@noerr.local -pass * -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: M-DC01.noerr.local
Successfully mapped xmpp/m-im01.noerr.local to xmpp-openfire.
Type the password for xmpp/m-im01.noerr.local:
Type the password again to confirm:
Password succesfully set!
Key created.

On Openfire-Server

ktab -k xmpp.ktab -a xmpp/m-im01.noerr.local@NOERR.LOCAL

Password for xmpp/m-im01.noerr.local@NOERR.LOCAL:xxxxxxxxxxxxx

Done!

Service key for xmpp/m-im01.noerr.local@NOERR.LOCAL is saved in xmpp.ktab

xmpp.ktab moved to Openfire-Resouces-Folder.

gss.conf within Openfire-Conf-Folder:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/PROGRA~2/Openfire/resources/xmpp.ktab”

doNotPrompt=true

useKeyTab=true

realm=“NOERR.LOCAL”

principal=“xmpp/m-im01.noerr.local@NOERR.LOCAL”

isInitiator=false

debug=true;

};

sasl-specific configurations in openfire-database

sasl.gssapi.config
C:/PROGRA~2/Openfire/conf/gss.conf
sasl.gssapi.debug
true
sasl.gssapi.useSubjectCredsOnly
false
sasl.mechs
GSSAPI,PLAIN,CRAM-MD5,DIGEST-MD5,EXTERNAL,ANONYMOUS
sasl.realm
NOERR.LOCAL
xmpp.domain
noerr.local
xmpp.fqdn
m-im01.noerr.local

krb5.ini within openfire-windows-folder, client-windows-folder and on client within C:\Users\xxx\Windows

[libdefaults]
default_realm = NOERR.LOCAL

[realms]
NOERR.LOCAL = {
kdc = m-dc01.noerr.local
admin_server = m-dc01.noerr.local
default_domain = NOERR.LOCAL
}

noerr.local = NOERR.LOCAL
.noerr.local = NOERR.LOCAL

on client-registry we set the value

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\Allo wTGTSessionKey=1

But SOO-login with Spark always fails.

We already tried to generate the ktab-file on the KDC and to use that file - but with no success:

ktpass -princ xmpp/m-im01.noerr.local@NOERR.LOCAL -mapuser xmpp-openfire@noerr.local -pass * -ptype KRB5_NT_PRINCIPAL -out C:\xmpp.ktab

Targeting domain controller: M-DC01.noerr.local

Successfully mapped xmpp/m-im01.noerr.local to xmpp-openfire.

Type the password for xmpp/m-im01.noerr.local:

Type the password again to confirm:

Password succesfully set!

Key created.

Output keytab to C:\xmpp.ktab:

Keytab version: 0x502

keysize 70 xmpp/m-im01.noerr.local@NOERR.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 6 etype 0x17 (RC4-HMAC) keylength 16 (0x6ca54b4afb5b0681d1aa6c2cd8f3694d)

The only messages we get are within openfire-debug.log:

2011.07.20 10:58:22 [/172.16.0.55:59730] Data Read: org.apache.mina.filter.support.SSLHandler@94124f (HeapBuffer[pos=0 lim=22 cap=64: 17 03 01 00 11 E7 0A 1E B7 55 74 A3 A7 14 DE 4C D2 17 49 46 BE 7F])

2011.07.20 10:58:22 [/172.16.0.55:59730] unwrap()

2011.07.20 10:58:22 [/172.16.0.55:59730] inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=22 cap=16665]

2011.07.20 10:58:22 [/172.16.0.55:59730] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]

2011.07.20 10:58:22 [/172.16.0.55:59730] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING

bytesConsumed = 22 bytesProduced = 1

2011.07.20 10:58:22 [/172.16.0.55:59730] inNetBuffer: java.nio.DirectByteBuffer[pos=22 lim=22 cap=16665]

2011.07.20 10:58:22 [/172.16.0.55:59730] appBuffer: java.nio.DirectByteBuffer[pos=1 lim=33330 cap=33330]

2011.07.20 10:58:22 [/172.16.0.55:59730] Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING

bytesConsumed = 0 bytesProduced = 0

2011.07.20 10:58:22 [/172.16.0.55:59730] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=1 cap=33330]

2011.07.20 10:58:22 [/172.16.0.55:59730] app data read: HeapBuffer[pos=0 lim=1 cap=1: 20] (20)

2011.07.20 10:58:22 Launching thread for /172.16.0.55:59730

2011.07.20 10:58:22 Exiting since queue is empty for /172.16.0.55:59730

And on client-side within Spark-error.log

WARNUNG: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:984)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:218)

at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:707)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:984)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:218)

at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:707)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Integrity check on decrypted field failed (31)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 18 more

Can anyone help us? This silly problem is driving us crazy…

did you ever get this working?

i’m struggling with OF 3.9.1, windows 2k8r2 domain and windows 7 clients trying to get sso working.

i’ve read loads of articles - but some are so old i’m worried that they aren’t relevent anymore.