4 Replies Latest reply on Aug 2, 2017 9:03 AM by Francesco

    SSO not fuction totaly

    Francesco

      Hi

      i've got a problem with openfire 4.1.5 + Spark 2.8.3 and SSO.

      so i describe infrastructure:

      AD Windows 2012 r2 with ad level 2012 r2

      Openfire installed on drive E of AD Server

      Client Windows 10 + spark 2.8.3

      I just configured openfire with AD and of read correctly my AD

      Client have this situation:

       

      With krb5.ini SSo

      With DNS or setting:

      in all 3 case the result not change

       

       

      This is my gss conf

      com.sun.security.jgss.accept {

          com.sun.security.auth.module.Krb5LoginModule required

          storeKey=true

          keyTab="E:/Openfire/resources/xmpp.keytab"

          doNotPrompt=true

          useKeyTab=true

      isInitiator=false

          realm="domain.LOCAL"

          principal="xmpp/dc1.domain.local"

          debug=true;

      };

      ServicePrincipalNames registrati per CN=xmpp-openfire,OU=Service,OU=dominio,DC=dominio,DC=local:

              xmpp/dc1.dominio.local

              xmpp/dc1

              xmpp/dc1.dominio.local@dominio.LOCAL

       

      KRB5.ini

      libdefaults]
           default_realm = dominio.LOCAL

      [realms]
          DOMINIO.LOCAL = {
              kdc = dc1.dominio.local
              admin_server = dc1.dominio.local
              default_domain = dominio.local
          }

      [domain_realms]
          dominio.local= DOMINIO.LOCAL
          .dominio.local= DOMINIO.LOCAL

       

      this is my openfire.xml

       

      <?xml version="1.0" encoding="UTF-8"?>

      <!-- This file stores bootstrap properties needed by Openfire. Property names must be in the format: "prop.name.is.blah=value" That will be stored as: <prop> <name> <is> <blah>value</blah> </is> </name> </prop> Most properties are stored in the Openfire database. A property viewer and editor is included in the admin console. -->

      <!-- root element, all properties must be under this element -->

      -<jive>

      -<adminConsole>

      <!-- Disable either port by setting the value to -1 -->

      <port>9090</port>

      <securePort>9091</securePort>

      </adminConsole>

      <locale>en</locale>

      <!-- Network settings. By default, Openfire will bind to all network interfaces. Alternatively, you can specify a specific network interfaces that the server will listen on. For example, 127.0.0.1. This setting is generally only useful on multi-homed servers. -->

      <!-- <network> <interface></interface> </network> -->

      <!-- sasl configuration -->

      -<sasl>

      <mechs>GSSAPI</mechs>

      <!-- <mechs>CRAM-MD5,DIGEST MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->

      <!-- Specify the realm you used when you created the service principal and keytab.-->

      <realm>dominio.LOCAL</realm>

      <!-- Mechanism-specific configuration here -->

      -<gssapi>

      <!-- Use true to turn on debugging information. This adds a lot of noise to your log files, but it can help you spot problems sooner in the initial setup. -->

      <debug>true</debug>

      <!-- Specify the location of the GSSAPI configuration file you edited. -->

      <!-- Sets the system property with the same name. You'll probably want "false" here (the default). For more details, see [http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html] -->

      </gssapi>

      </sasl>

      <!-- SPDY Protocol is npn. (note: npn does not work with Java 8) add -Xbootclasspath/p:/OPENFIRE_HOME/lib/npn-boot.jar to .vmoptions file -->

      <!-- <spdy> <protocol>npn</protocol> </spdy> -->

      <!-- XEP-0198 properties -->

      -<stream>

      -<management>

      <!-- Whether stream management is offered to clients by server. -->

      <active>true</active>

      <!-- Number of stanzas sent to client before a stream management acknowledgement request is made. -->

      <requestFrequency>5</requestFrequency>

      </management>

      </stream>

      -<connectionProvider>

      <className>org.jivesoftware.database.EmbeddedConnectionProvider</className>

      </connectionProvider>

      <setup>true</setup>

      </jive>

       

      Windows Firewall Disable

      Client and Server same Network

      on client java is not installed.

       

      i read this guide:

      How to Setup  SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

      SSO Issues (WinSrv2016/Win10Ent w/ Openfire 4.1.0 & Spark 2.8.2)

      SSO Configuration

       

      help?

        • Re: SSO not fuction totaly
          speedy

          make sure you can connect without sso, using your AD credentials. This will rule out a few things first.

           

          Make sure you have debug enabled in openfire...this will provide some needed information as to what the failure is.

           

          also, what are you trying to connect to?  whats your xmpp domain?

            • Re: SSO not fuction totaly
              Francesco

              I can connect without sso.

              Debug mode in openfire.xml?

              Where i enable debug?

              I use only internal domain, so my xmpp domain is domain.local.

                • Re: SSO not fuction totaly
                  speedy

                  are you using SRV records that point domain.local to something like xmpp.domain.local

                   

                  fyi..im currently in the group chat.

                    • Re: SSO not fuction totaly
                      Francesco

                      this is error from openfire server

                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 

                          at java.lang.Thread.run(Unknown Source) 

                         2017.08.02 17:52:26 org.jitsi.impl.protocol.xmpp.XmppProtocolProvider - Failed to connect/login: Anonymous login failed. 

                         Anonymous login failed.: 

                         at org.jivesoftware.smack.NonSASLAuthentication.authenticateAnonymously(NonSASLAut hentication.java:128) 

                         at org.jivesoftware.smack.XMPPConnection.loginAnonymously(XMPPConnection.java:283) 

                          at org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.doConnect(XmppProtocolProvide r.java:217) 

                          at org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.access$000(XmppProtocolProvid er.java:47) 

                          at org.jitsi.impl.protocol.xmpp.XmppProtocolProvider$1.call(XmppProtocolProvider.j ava:192) 

                          at org.jitsi.impl.protocol.xmpp.XmppProtocolProvider$1.call(XmppProtocolProvider.j ava:187) 

                          at org.jitsi.retry.RetryStrategy$TaskRunner.run(RetryStrategy.java:193) 

                          at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) 

                          at java.util.concurrent.FutureTask.run(Unknown Source) 

                          at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201 (Unknown Source) 

                          at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source) 

                          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) 

                          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 

                          at java.lang.Thread.run(Unknown Source)        

                       

                      and this is debug

                      2017.08.02 18:02:23 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 71 

                         Queue : [MESSAGE_RECEIVED, ] 

                          

                         2017.08.02 18:02:23 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 71 

                         2017.08.02 18:02:23 org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Constructed trust manager. Number of trusted issuers: 173, accepts self-signed: false, checks validity: true 

                         2017.08.02 18:02:23 org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Constructed trust manager. Number of trusted issuers: 173, accepts self-signed: false, checks validity: true 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslFilter - Adding the SSL Filter tls to the chain 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server[71](no sslEngine) Initializing the SSL Handler 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server[71](no sslEngine) SSL Handler Initialization done. 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...) : Starting the first handshake 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_UNWRAP state 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Writing Message : WriteRequest: HeapBuffer[pos=0 lim=50 cap=64: 3C 70 72 6F 63 65 65 64 20 78 6D 6C 6E 73 3D 22...] 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Message received : HeapBuffer[pos=0 lim=188 cap=1024: 16 03 03 00 B7 01 00 00 B3 03 03 59 81 F7 8F D6...] 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) Processing the received message 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_UNWRAP state 

                         2017.08.02 18:02:23 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_TASK state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_WRAP state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Writing Message : WriteRequest: HeapBuffer[pos=0 lim=1243 cap=2115: 16 03 03 04 D6 02 00 00 4D 03 03 59 81 F7 8F 02...] 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_UNWRAP state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Processing the SSL Data 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Message received : HeapBuffer[pos=0 lim=75 cap=1024: 16 03 03 00 46 10 00 00 42 41 04 83 83 6C BC EB...] 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) Processing the received message 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_UNWRAP state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_TASK state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_UNWRAP state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Processing the SSL Data 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Message received : HeapBuffer[pos=0 lim=91 cap=512: 14 03 03 00 01 01 16 03 03 00 50 CB D2 26 22 0F...] 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) Processing the received message 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_UNWRAP state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_WRAP state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Writing Message : WriteRequest: HeapBuffer[pos=0 lim=6 cap=8: 14 03 03 00 01 01] 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the NEED_WRAP state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](ssl...): Writing Message : WriteRequest: HeapBuffer[pos=0 lim=85 cap=132: 16 03 03 00 50 9E 91 3A 4F 53 90 2F 86 3A 61 D9...] 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](ssl...) processing the FINISHED state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](SSL) is now secured 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](SSL) processing the FINISHED state 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](SSL) is now secured 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](SSL): Processing the SSL Data 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](SSL): Message received : HeapBuffer[pos=0 lim=229 cap=512: 17 03 03 00 E0 B0 6D DB D6 5D AB 5F 29 1F 6C BD...] 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslHandler - Session Server[71](SSL) Processing the received message 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](SSL): Processing the SSL Data 

                         2017.08.02 18:02:24 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 71 

                         Queue : [MESSAGE_RECEIVED, ] 

                          

                         2017.08.02 18:02:24 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 71 

                         2017.08.02 18:02:24 org.apache.mina.filter.ssl.SslFilter - Session Server[71](SSL): Writing Message : WriteRequest: HeapBuffer[pos=0 lim=530 cap=1024: 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 27 31...] 

                         2017.08.02 18:02:24 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 71 

                         Queue : [MESSAGE_SENT, ] 

                          

                         2017.08.02 18:02:24 org.quartz.core.QuartzSchedulerThread - batch acquisition of 0 triggers        

                       

                      if how Spark canno send correct password or maybe not send password to openfire.