powered by Jive Software

WinSRV 2008 R2 + AD 2003 + Openfire 3.9.3 + Spark 2.6.3 - SSO fail

Hi everybody!

Basic information:

  • AD root domain - npomash.dom (2003)

  • AD domain - personal.npomash.dom (2003) - all users are here

  • KDC - dc3p.personal.npomash.dom (WinSRV 2008 R2 SP2)

  • Openfire 3.9.3 server - openfire.personal.npomash.dom (WinSRV 2008 R2 SP2)

  • Spark 2.6.3 client - kms.personal.npomash.dom (WinSRV 2008 R2 SP2)

  • Database - MS SQL Express 2008 R2 SP2 (hosting on openfire.personal.npomash.dom)

Well, I’ve set up and configured everything by these guides:

https://igniterealtime.org/builds/openfire/docs/latest/documentation/install-gui de.html

https://community.igniterealtime.org/docs/DOC-1060

Also checked several threads such as these:

And I can’t solve SSO failure problem for about three days long.

I think, I’ve tested every possible combinations of options. And still no solution yet.

Here is what’s happening on Spark (Raw Received Packets):

<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="[http://etherx.jabber.org/streams](http://etherx.jabber.org/streams)" xmlns="jabber:client" from="openfire.personal.npomash.dom" id="d17b9669" xml:lang="en" version="1.0"> <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="[http://jabber.org/features/compress](http://jabber.org/features/compress)"><method>zlib</method></compression><auth xmlns="[http://jabber.org/features/iq-auth](http://jabber.org/features/iq-auth)"/><register xmlns="[http://jabber.org/features/iq-register](http://jabber.org/features/iq-register)"/></stream:features> <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/> <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="[http://etherx.jabber.org/streams](http://etherx.jabber.org/streams)" xmlns="jabber:client" from="openfire.personal.npomash.dom" id="d17b9669" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="[http://jabber.org/features/compress](http://jabber.org/features/compress)"><method>zlib</method></compression><auth xmlns="[http://jabber.org/features/iq-auth](http://jabber.org/features/iq-auth)"/><register xmlns="[http://jabber.org/features/iq-register](http://jabber.org/features/iq-register)"/></stream:features> <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>

Info.log entry on Openfire side:

2014.06.18 15:47:03 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

Sorry, if I missed something. Any advice or ideas please?

Take a look at the following. They are more up to date, with the first one being really well documented.

https://community.igniterealtime.org/docs/DOC-2706

https://community.igniterealtime.org/docs/DOC-2585

Well, now I’m completly confused. X_X

All those manuals differ from each other in many points.

  • xmpp-user:

  • “Use Kerberos DES encryption types for this account” - should be checked?

  • “Do not require Kerberos preauthentication” - should be checked?

  • How many spns should I create?

  • Configure encryption types allowed for Kerberos - which exactly should be checked? DES_CBC_CRC - enabled or disabled?

  • DNS PTR-records - how many records should be in Reverse Lookup Zone? In Jonathan Murch’s guide he contrived to put a Host (A) record there. :\

  • DNS - Any additional SRV records needed?

  • openfire.xml - Should there be

org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy

in it?

Within <provider> or not?``

  • krb5.ini - Should these records be there?

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

  • keytab - what type? How to check the windows one?

  • gss.conf - “isInitiator=false”?

This record appears in info.log every time I’m trying to login by SSO:

2014.06.19 16:13:06 org.jivesoftware.openfire.nio.ConnectionHandler - ConnectionHandler reports IOException for session: (SOCKET, R: /10.200.100.116:51271, L: /10.200.100.15:5222, S: 0.0.0.0/0.0.0.0:5222)

  • “Use Kerberos DES encryption types for this account” - should be checked? -Yes
  • “Do not require Kerberos preauthentication” - should be checked? -No
  • How many spns should I create? - 2 will be created

-Configure encryption types allowed for Kerberos - which exactly should be checked? DES_CBC_CRC - enabled or disabled? All encrption types BUT DES_CBC_CRC should be checked

  • DNS PTR-records - how many records should be in Reverse Lookup Zone? In Jonathan Murch’s guide he contrived to put a Host (A) record there. :\

Make sure you have a reverse record that matches your A record.

  • DNS - Any additional SRV records needed?

Depends

**No, unless you XMPP domain is different than the FQDN of your server. External SRV records are also needed if you want to federate with external xmpp servers. **

openfire.xml - Should there be

org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy

in it?

Within <provider> or not?``

I don’t have that in mine…not to say its not needed.

  • krb5.ini - Should these records be there?

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

It doesn’t hurt anything. I don’t have in mine. However you’ll want to remove des-cbc-crc since that isn’t going to be a supported encryption type

  • gss.conf - “isInitiator=false”

**I don’t have this in mine either
**

Hope this helps.

“Do not require Kerberos preauthentication” - should be checked? -No

OK, it’s unchecked now.

How many spns should I create? - 2 will be created

Well, there is obviously smth wrong with my xmpp-user.

I do remember I added 2 records. But ADSI Edit shows there is only 1 spn-record:

snap00006

AND the other one somehow is in UPN:

snap00007

UPD: I get it. UPN changes by ktpass -mapuser

That’s not right, right?

Also I’ve checked the openfire server computer account:

snap00009

Is it OK?

All encrption types BUT DES_CBC_CRC should be checked

OK, it’s done.

I don’t have that in mine…not to say its not needed.

I don’t have that in mine too now. I guess openfire took it to his config and then deleted it.

UPD: Should I use “+DesOnly” key when creating the keytab?

Message was edited by: Alexey

Despite all the configuring SSO still doen’t work.

2014.06.20 12:10:32 org.jivesoftware.openfire.nio.ConnectionHandler - ConnectionHandler reports IOException for session: (SOCKET, R: /10.200.100.116:59394, L: /10.200.100.15:5222, S: 0.0.0.0/0.0.0.0:5222)

java.io.IOException: An existing connection was forcibly closed by the remote host

Also there are such records in the Spark warn.log:

Jun 20, 2014 12:33:36 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

... 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

... 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

... 18 more
1 Like

Did you ever find a solution for this? I’m having the same issue.

make sure you xmpp spn account matches what you have in your gss.conf file

I removed and redid the spn and confirmed that it matches the gss.conf file. I am still unable to uss SSO with spark/openfire.

Openfire log error


2014.07.22 12:33:26 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. GSS initiate failed


Spark log error


Jul 22, 2014 12:33:26 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication GSSAPI failed: not-authorized:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 337)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)


after you doing the spn, you’ll need to recreate the keytab file. Are you using java or windows to create the keytab? if windows, are you running the command on server 2003 or the 2008 box?

1 Like

I did recreate the keytab file using java.

I’ve successfully tested the keytab file with the kinit command after creating it.

what do you get when you run kinit -k -t against your keytab file?

Wow, same time I updated my previous reply. I get nothing when I run that, which means it’s successful, correct?

I just tried your suggestion from https://community.igniterealtime.org/thread/51817 of

try creating a new keytab file. use this command on your dc. This keytab file will not pass the kinit java test…so don’t worry about it, however try it in your resource folder anyway.

ktpass -princ xmpp/server.domain.local@DOMAIN.LOCAL -mapuser keytab@domain.local -pass * -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly -out xmpp.keytab

Now my client connects without a problem. Thank you for your help Speedy!

cool!

In my case the problem was solved by:

  • Updaring JRE on Openfire server to SE 7 U60
  • Hosting keytab in the root of the system volume
  • Using Spark 2.7.0.665

And now SSO is working like a charm.

Having an issue with 1 PC. Everyday I come in, it fails to sign with SSO. Getting this error in the spark log

(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication

at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

… 17 more

So far it just seems to be 1 computer having this issue. I can go to another computer and login fine everytime. If I run the following command, it is fixed for the day.

“C:\Program Files (x86)\Java\jre7\bin\kinit” user@REALM.LOCAL

I just have to enter the password for the user after that command. I can log off Spark, restart the computer and still get back into Spark just fine for the day. The next day, I can no longer sign into Spark with SSO and I have to run the command again.

Happening again this morning. Spark’s error.log:

Jul 30, 2014 8:12:43 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1056)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:303)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:835)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1056)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:303)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:835)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication

at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

… 17 more

Spark’s output.log

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

Acquire TGT from Cache

Credentials are no longer valid

Principal is null

null credentials from Ticket Cache

[Krb5LoginModule] authentication failed

Unable to obtain Princpal Name for authentication

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

Acquire TGT from Cache

Credentials are no longer valid

Principal is null

null credentials from Ticket Cache

[Krb5LoginModule] authentication failed

Unable to obtain Princpal Name for authentication

Openfire logs are not showing any entry for the time I try to sign in this morning.