3 Replies Latest reply on Aug 14, 2011 8:14 PM by VAZ_ik

    Some troubles with SSO

      Hi, all. I have some troubles with connection to my OpenFire-server by Spark. There are Spark 2.6.3 on Windows 7, Openfire 3.7.0 on Debian Squeeze and Active Directory on Windows Server 2008. When I try to authenticate by SSO I get following messages in my logs

       

      output.log

       

      Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

      Acquire TGT from Cache

      Principal is myaccount@MYDOMAIN.LOC

      Commit Succeeded

       

      error.log

       

      18.07.2011 18:23:20 org.jivesoftware.spark.util.log.Log warning

      WARNING: Exception in Login:

      SASL authentication failed:

        -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

          at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

          at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

          at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

          at java.lang.Thread.run(Unknown Source)

      Nested Exception:

      javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

          at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

          at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

          at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

          at java.lang.Thread.run(Unknown Source)

      Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))

          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

          ... 10 more

      Caused by: KrbException: Integrity check on decrypted field failed (31)

          at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

          at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

          at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

          at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

          at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

          ... 13 more

      Caused by: KrbException: Identifier doesn't match expected value (906)

          at sun.security.krb5.internal.KDCRep.init(Unknown Source)

          at sun.security.krb5.internal.TGSRep.init(Unknown Source)

          at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

          ... 18 more

       

      spark.properties has following content

       

      #Spark Settings

      #Mon Jul 18 18:02:33 VLAST 2011

      compressionOn=false

      jksPath=

      resource=Spark 2.6.3

      trustStorePath=

      hostAndPort=true

      ssoRealm=MYDOMAIN.LOC

      timeout=10

      xmppPort=5222

      debuggerEnabled=false

      protocol=SOCKS

      xmppHost=jabber.mydomain.loc

      proxyEnabled=false

      trustStorePassword=

      ssoMethod=dns

      pkiEnabled=false

      sslEnabled=false

      ssoEnabled=true

      ssoKDC=kdc.mydomain.loc

      pkiStore=JKS

       

      WireShark tells that Spark requests ticket for the wrong service:

       

      Kerberos KRB-ERROR

      Pvno: 5

      MSG Type: KRB-ERROR (30)

      error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31)

      Realm: MYDOMAIN.LOC

      Server Name (Unknown): xmpp/kdc.mydomain.loc

      Name-type: Unknown (0)

      Name: xmpp

      Name: kdc.mydomain.loc

       

      Instead right service xmpp/jabber.mydomain.loc

      Why does Spark request wrong principal's ticket despite that I specified jabber.mydomain.loc as connection server at the advanced options before session?

      I've broken my brain already...

      Sorry for my English.