AnsweredAssumed Answered

HELP OpenFire Debian Server SSO in Server 2008R2 domain

Question asked by yo yo on Dec 3, 2015
Latest reply on Dec 4, 2015 by speedy

Ok, I have banging my head against the wall for a few days on this and have been reading through many posts like the following:

 

SSO Configuration

https://community.spiceworks.com/how_to/13930-openfire-enable-single-sign-on-sso -on-linux

SSO:  An easier way to join your CentOS 5 Openfire server to an AD Domain

Re: Spark / OpenFire SSO failure

SSO for Openfire 3.8.1 on Debian 7.0 "Wheezy" x64 + Spark 2.6.3 + AD W2k8 (not R2)

 

 

 

 

I have openfire server configured and set up on Debian 8 Jessie 64 bit.

Currently I can sign in manually with my AD credentials and everything works fine in that department.

The problem is I keep getting this error in my spark log when trying to use SSO:

 

Dec 03, 2015 3:22:12 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

  -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

... 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

... 13 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

... 19 more

 

I have created two AD users, one for openfire to use when enumerating AD users and the other for the keytab that has Kerberos pre-authentication disabled and aes 128 bit authentication enabled.

I can use kinit -V -k -t krb5.xmpp.keytab xmpp/openfire-server.domain.local@DOMAIN.LOCAL from the openfire server to confirm keytab file authentication with Kerberos.

I have actually tried importing the keytab a couple different ways from the KDC per suggested methods in the above links as well as generating it on the openfire Debian server itself to no avail.

I have checked the system properties for xmpp.domain and xmpp.fqdn which are both set to openfire-server.domain.local.

My /etc/hosts file and nsswittch.conf files appear to be correct as well as /usr/share/openfire/resource/conf/gss.conf and /etc/krb5.conf files.

At this point I have reloaded the server from scratch twice now just to be sure I wasn't missing anything.

 

Can anyone post any pointers or at the very least suggest a better Linux chat server solution with SSO for a Server 2008 R2 domain?

Outcomes