AnsweredAssumed Answered

Openfire+Spark+SSO not worked

Question asked by Robert on Nov 13, 2015
Latest reply on Dec 5, 2015 by speedy

Hey,

I have a problem connecting  spark (v. 2.7.3) to the Openfire server by SSO.

 

I tried all the recommendations of these links:

 

  1.     https://community.igniterealtime.org/docs/DOC-1060
  2.     https://community.spiceworks.com/how_to/13930-openfire-enable-single-sign-on-sso -on-linux
  3.     https://community.igniterealtime.org/docs/DOC-1522
  4.     https://community.igniterealtime.org/docs/DOC-1060
  5.     https://community.igniterealtime.org/thread/51154
  6.     https://community.igniterealtime.org/docs/DOC-2585

 

and nothing :-(

 

 

 

My environment is:

 

KDC (AD) on Windows server 2003

 

Openfire server on CentOS 7

 

Hosts wirh Spark Windows XP, 7 , 8.1

 

 

 

My openfire.xml looks lik that:

 

 

 

<?xml version="1.0" encoding="UTF-8"?>

 

 

 

<!--

 

    This file stores bootstrap properties needed by Openfire.

 

    Property names must be in the format: "prop.name.is.blah=value"

 

    That will be stored as:

 

        <prop>

 

            <name>

 

                <is>

 

<blah>value</blah>

 

                </is>

 

            </name>

 

        </prop>

 

 

 

    Most properties are stored in the Openfire database. A

 

    property viewer and editor is included in the admin console.

 

-->

 

<!-- root element, all properties must be under this element -->

 

<jive>

 

  <adminConsole>

 

    <!-- Disable either port by setting the value to -1 -->

 

    <port>9090</port>

 

    <securePort>9091</securePort>

 

  </adminConsole>

 

  <locale>pl_PL</locale>

 

  <!-- Network settings. By default, Openfire will bind to all network interfaces.

 

      Alternatively, you can specify a specific network interfaces that the server

 

      will listen on. For example, 127.0.0.1. This setting is generally only useful

 

       on multi-homed servers. -->

 

  <!--

 

    <network>

 

        <interface>192.168.0.1</interface>

 

    </network>

 

    -->

 

  <!-- SPDY Protocol is npn.

 

        (note: npn does not work with Java 8)

 

        add -Xbootclasspath/p:/OPENFIRE_HOME/lib/npn-boot.jar to .vmoptions file    -->

 

  <!--

 

    <spdy>

 

        <protocol>npn</protocol>

 

    </spdy>

 

    -->

 

  <connectionProvider>

 

<className>org.jivesoftware.database.EmbeddedConnectionProvider</className>

 

  </connectionProvider>

 

  <!-- sasl configuration -->

 

  <sasl>

 

    <realm>DOMAIN</realm>

 

  </sasl>

 

  <authorization>

 

<classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList >

 

  </authorization>

 

  <setup>true</setup>

 

</jive>

 

 

My krb5.conf looks like that:

 

 

 

[logging]

 

default = FILE:/var/log/krb5libs.log

 

kdc = FILE:/var/log/krb5kdc.log

 

admin_server = FILE:/var/log/kadmind.log

 

 

 

[libdefaults]

 

default_realm = domain

 

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

 

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

 

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

 

 

 

[realms]

 

domain = {

 

  kdc = srv.domain

 

  admin_server = srv.domain

 

  default_domain = domain

 

}

 

 

 

[domain_realm]

 

domain = DOMAIN

 

.domain = DOMAIN

 

 

 

My gss.conf in folder  /opt/openfire/conf looks like that:

 

 

 

      com.sun.security.jgss.accept {

 

      com.sun.security.auth.module.Krb5LoginModule

 

      required

 

      storeKey=true

 

      keyTab="/opt/openfire/spark.keytab"

 

      doNotPrompt=true

 

      useKeyTab=true

 

      realm="DOMAIN"

 

      principal="xmpp/srv.domain@DOMAIN"

 

      debug=true

 

      isInitiator=false;

 

   };

 

 

 

Create on DC spark user,  with options "Unable to change password", "Password never expires" and "Does not

 

require Kerberos Preauthentication"

 

 

For spark create Kerberos XMPP SPN on DC

 

setspn -A xmpp/srv.domain@DOMAIN spark

 

setspn -A xmpp/srv.domain spark

 

setspn -A xmpp/srv spark

 

 

 

For spark create map Kerberos XMPP SPN on DC,

 

ktpass -princ xmpp/srv.domain@DOMAIN -mapuser spark@domain -pass * -ptype KRB5_NT_PRINCIPAL 

 

 

 

Create spark.keytab file on DC

 

    ktpass -princ xmpp/srv.domain@DOMAIN -mapuser  spark@domain -pass * -ptype KRB5_NT_PRINCIPAL -out

 

spark.keytab

 

 

 

Copy spar.keytab to srv.domain with openfire server to folder /opt/openfire and change owner and permision

 

 

 

I set on my hosts

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters 

 

Value Name: AllowTGTSessionKey 

 

Value Type: REG_DWORD 

 

Value: 1 

 

 

 

On the host with Windows XP I have that error in spark logs:

 

 

WARNING: Exception in Login:

 

SASL authentication failed:

 

  -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid

 

credentials provided (Mechanism level: Server not found in Kerberos database (7))]

 

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

 

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

 

    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

 

    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

 

    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

 

    at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

 

    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

 

    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

 

    at java.lang.Thread.run(Unknown Source)

 

Nested Exception:

 

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided

 

(Mechanism level: Server not found in Kerberos database (7))]

 

    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

 

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

 

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

 

    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

 

    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

 

    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

 

    at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

 

    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

 

    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

 

    at java.lang.Thread.run(Unknown Source)

 

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database

 

(7))

 

    at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

 

    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

 

    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

 

    ... 10 more

 

Caused by: KrbException: Server not found in Kerberos database (7)

 

    at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

 

    at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

 

    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

 

    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

 

    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

 

    at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

 

    ... 13 more

 

Caused by: KrbException: Identifier doesn't match expected value (906)

 

    at sun.security.krb5.internal.KDCRep.init(Unknown Source)

 

    at sun.security.krb5.internal.TGSRep.init(Unknown Source)

 

    at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

 

    ... 19 more

 

On the host with Windows 7 nad 8.1 I have that error in spark logs:

AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

  -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

    at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

    at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

    at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

    at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

    at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)

    at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

    at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)

    at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)

    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

    ... 10 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication

    at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)

    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

    at java.lang.reflect.Method.invoke(Unknown Source)

    at javax.security.auth.login.LoginContext.invoke(Unknown Source)

    at javax.security.auth.login.LoginContext.access$000(Unknown Source)

    at javax.security.auth.login.LoginContext$4.run(Unknown Source)

    at javax.security.auth.login.LoginContext$4.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

    at javax.security.auth.login.LoginContext.login(Unknown Source)

    at sun.security.jgss.GSSUtil.login(Unknown Source)

    at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)

    at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

    at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    ... 17 more

 

 

Please help me with that. I spend last 3 weeks on that and drive me crazy ;-(

Sorry for may bad English, google translator ;-)

Regards

Robert

 

Outcomes