4 Replies Latest reply on Dec 4, 2015 8:45 AM by speedy

    HELP OpenFire Debian Server SSO in Server 2008R2 domain

    yo yo

      Ok, I have banging my head against the wall for a few days on this and have been reading through many posts like the following:

       

      SSO Configuration

      https://community.spiceworks.com/how_to/13930-openfire-enable-single-sign-on-sso -on-linux

      SSO:  An easier way to join your CentOS 5 Openfire server to an AD Domain

      Re: Spark / OpenFire SSO failure

      SSO for Openfire 3.8.1 on Debian 7.0 "Wheezy" x64 + Spark 2.6.3 + AD W2k8 (not R2)

       

       

       

       

      I have openfire server configured and set up on Debian 8 Jessie 64 bit.

      Currently I can sign in manually with my AD credentials and everything works fine in that department.

      The problem is I keep getting this error in my spark log when trying to use SSO:

       

      Dec 03, 2015 3:22:12 PM org.jivesoftware.spark.util.log.Log warning

      WARNING: Exception in Login:

      SASL authentication failed:

        -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

      at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

      at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

      at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

      at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

      at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

      at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

      at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

      at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

      at java.lang.Thread.run(Unknown Source)

      Nested Exception:

      javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

      at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

      at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

      at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

      at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

      at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

      at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

      at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

      at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

      at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

      at java.lang.Thread.run(Unknown Source)

      Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

      at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

      at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

      at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

      ... 10 more

      Caused by: KrbException: Server not found in Kerberos database (7)

      at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

      at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

      at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

      at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

      at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

      at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

      ... 13 more

      Caused by: KrbException: Identifier doesn't match expected value (906)

      at sun.security.krb5.internal.KDCRep.init(Unknown Source)

      at sun.security.krb5.internal.TGSRep.init(Unknown Source)

      at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

      ... 19 more

       

      I have created two AD users, one for openfire to use when enumerating AD users and the other for the keytab that has Kerberos pre-authentication disabled and aes 128 bit authentication enabled.

      I can use kinit -V -k -t krb5.xmpp.keytab xmpp/openfire-server.domain.local@DOMAIN.LOCAL from the openfire server to confirm keytab file authentication with Kerberos.

      I have actually tried importing the keytab a couple different ways from the KDC per suggested methods in the above links as well as generating it on the openfire Debian server itself to no avail.

      I have checked the system properties for xmpp.domain and xmpp.fqdn which are both set to openfire-server.domain.local.

      My /etc/hosts file and nsswittch.conf files appear to be correct as well as /usr/share/openfire/resource/conf/gss.conf and /etc/krb5.conf files.

      At this point I have reloaded the server from scratch twice now just to be sure I wasn't missing anything.

       

      Can anyone post any pointers or at the very least suggest a better Linux chat server solution with SSO for a Server 2008 R2 domain?