7 Replies Latest reply on Aug 2, 2016 6:55 AM by speedy

    Openfire 4.0.1 SSO - again

    Ben

      Hello.

       

      Problem: In Pidgin (did a test install of Spark, isn't working either) debug I get the following error when I try to connect my user to Openfire Server.

      (10:01:38) certificate: Successfully verified certificate for "openfire-server"

      (10:01:38) jabber: Sending (ssl) (user@domain.local): <stream:stream to='domain.local' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>

      (10:01:38) jabber: Recv (ssl)(456): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="openfire-server" id="6e50wbz30s" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>

      (10:01:38) sasl: Mechs found: GSSAPI

      (10:02:05) sasl: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

      (10:02:05) sasl: sasl_state is -1, failing the mech and trying again

      (10:02:05) sasl: Mechs found:

       

      I got a Windows Server 2012 environment, a working openfire server (without sso ofc) on "openfire-server", and Windows/Mac clients.

       

      What I already did:

      First instruction: HOWTO: SSO Configuration for Windows (Server and Clients) and Mac Clients

      Second instruction: How to Setup  SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

      Third instruction: 28 Steps to Single Sign On for Openfire XMPP Server on Windows Server 2012 R2 with Spark

       

      The last one brought me from the error "not authorized" to the above mentioned.

      On the client I did the registry entry, copied the krb5.ini, installed java 8 101 and MIT Kerberos for Windows 3.2.2, rebooted.

       

      Thanks for any advice...

        • Re: Openfire 4.0.1 SSO - again
          speedy

          sso can be a little tricky.  things are case sensitive, so I'd start there.  here is a doc I wrote up a while ago, and reference each time I set up SSO.

           

          How to Setup  SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

            • Re: Openfire 4.0.1 SSO - again
              Ben

              So, I got a little further.

               

              (16:31:28) account: Connecting to account user@domain.local/.

              (16:31:28) connection: Connecting. gc = 04CE06A8

              (16:31:28) dnsquery: Performing DNS lookup for "openfire-server"

              (16:31:28) dnsquery: IP resolved for  "openfire-server"

              (16:31:28) proxy: Attempting connection to  "openfire-server-ip"

              (16:31:28) proxy: Connecting to openfire-server:5222 with no proxy

              (16:31:28) proxy: Connection in progress

              (16:31:28) proxy: Connecting to openfire-server:5222.

              (16:31:28) proxy: Connected to openfire-server:5222.

              (16:31:28) jabber: Sending (user@domain.local): <?xml version='1.0' ?>

              (16:31:28) jabber: Sending (user@domain.local): <stream:stream to='domain.local' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>

              (16:31:28) jabber: Recv (184): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="openfire-server" id="99xg9xlypw" xml:lang="en" version="1.0">

              (16:31:28) jabber: Recv (333): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>

              (16:31:28) jabber: Sending (user@domain.local): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>

              (16:31:28) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

              (16:31:28) nss: SSL version 3.3 using 128-bit AES-GCM with 128-bit AEAD MAC

              Server Auth: 2048-bit RSA, Key Exchange: 256-bit ECDHE, Compression: NULL

              Cipher Suite Name: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

              (16:31:28) nss: subject=CN="openfire-server" issuer=CN="openfire-server"

              (16:31:28) certificate/x509/tls_cached: Starting verify for "openfire-server"

              (16:31:28) certificate/x509/tls_cached: Checking for cached cert...

              (16:31:28) certificate/x509/tls_cached: ...Found cached cert

              (16:31:28) nss/x509: Loading certificate from C:\Users\user\AppData\Roaming\.purple\certificates\x509\tls_peers\"openfire-ser ver"

              (16:31:28) certificate/x509/tls_cached: Peer cert matched cached

              (16:31:28) nss/x509: Exporting certificate to C:\Users\user\AppData\Roaming\.purple\certificates\x509\tls_peers\"openfire-ser ver"

              (16:31:28) util: Writing file C:\Users\user\AppData\Roaming\.purple\certificates\x509\tls_peers\"openfire-ser ver"

              (16:31:28) nss: Trusting CN="openfire-server"

              (16:31:28) certificate: Successfully verified certificate for "openfire-server"

              (16:31:28) jabber: Sending (ssl) (user@domain.local): <stream:stream to='domain.local' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>

              (16:31:28) jabber: Recv (ssl)(456): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="openfire-server" id="99xg9xlypw" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>

              (16:31:28) sasl: Mechs found: GSSAPI

              (16:31:28) jabber: Sending (ssl) (user@domain.local): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='GSSAPI' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'>password removed</auth>

              (16:31:28) connection: Connection error on 04CE06A8 (reason: 0 description: Der Server hat die Verbindung beendet)

              (16:31:28) account: Disconnecting account user@domain.local/ (021D9178)

              (16:31:28) connection: Disconnecting connection 04CE06A8

              (16:31:28) jabber: Sending (ssl) (user@domain.local): </stream:stream>

              (16:31:28) connection: Destroying connection 04CE06A8

              (16:31:34) util: Writing file accounts.xml to directory C:\Users\user\AppData\Roaming\.purple

              (16:31:34) util: Writing file C:\Users\user\AppData\Roaming\.purple\accounts.xml

                • Re: Openfire 4.0.1 SSO - again
                  speedy

                  its hard to tell where its failing with the information you provided.  Spark may provide more insight as well.  can you try sso with spark and post the error and warn logs please?

                    • Re: Openfire 4.0.1 SSO - again
                      Ben

                      Unfortunately Spark isn't writing anything in the error Logfile. The only information I get out of the programm is in the debug window:

                      <iq id="1649U-3" to="openfire-server/39kapwvyny" type="error">

                        <ping xmlns="urn:xmpp:ping"/>

                        <error code="401" type="AUTH">

                          <not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/>

                        </error>

                      </iq>

                • Re: Openfire 4.0.1 SSO - again
                  speedy

                  that error is usually caused because your xmpp domain and SPN not matching.  check that, and recreate your keytab file.