AnsweredAssumed Answered

Some troubles with SSO

Question asked by VAZ_ik on Jul 18, 2011
Latest reply on Aug 14, 2011 by VAZ_ik

Hi, all. I have some troubles with connection to my OpenFire-server by Spark. There are Spark 2.6.3 on Windows 7, Openfire 3.7.0 on Debian Squeeze and Active Directory on Windows Server 2008. When I try to authenticate by SSO I get following messages in my logs

 

output.log

 

Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is myaccount@MYDOMAIN.LOC

Commit Succeeded

 

error.log

 

18.07.2011 18:23:20 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

  -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

    at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

    at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

    at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

    at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

    at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

    at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))

    at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

    ... 10 more

Caused by: KrbException: Integrity check on decrypted field failed (31)

    at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

    at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

    at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

    ... 13 more

Caused by: KrbException: Identifier doesn't match expected value (906)

    at sun.security.krb5.internal.KDCRep.init(Unknown Source)

    at sun.security.krb5.internal.TGSRep.init(Unknown Source)

    at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

    ... 18 more

 

spark.properties has following content

 

#Spark Settings

#Mon Jul 18 18:02:33 VLAST 2011

compressionOn=false

jksPath=

resource=Spark 2.6.3

trustStorePath=

hostAndPort=true

ssoRealm=MYDOMAIN.LOC

timeout=10

xmppPort=5222

debuggerEnabled=false

protocol=SOCKS

xmppHost=jabber.mydomain.loc

proxyEnabled=false

trustStorePassword=

ssoMethod=dns

pkiEnabled=false

sslEnabled=false

ssoEnabled=true

ssoKDC=kdc.mydomain.loc

pkiStore=JKS

 

WireShark tells that Spark requests ticket for the wrong service:

 

Kerberos KRB-ERROR

Pvno: 5

MSG Type: KRB-ERROR (30)

error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31)

Realm: MYDOMAIN.LOC

Server Name (Unknown): xmpp/kdc.mydomain.loc

Name-type: Unknown (0)

Name: xmpp

Name: kdc.mydomain.loc

 

Instead right service xmpp/jabber.mydomain.loc

Why does Spark request wrong principal's ticket despite that I specified jabber.mydomain.loc as connection server at the advanced options before session?

I've broken my brain already...

Sorry for my English.

Outcomes