Ignite Realtime: SSO with Openfire 3.3.1 and spark...

Up to Discussions in Openfire Support

This discussion is archived

6308 Views 7 Replies Latest reply: Jun 17, 2007 9:01 AM by slushpupie

sixthring

3,828 posts since
Apr 2, 2007

Currently Being Moderated

May 17, 2007 5:42 AM

SSO with Openfire 3.3.1 and spark 2.5.3b1

I am trying to configure openfire and spark for SSO. My openfire 3.3.1 server is running on windows, Spark 2.5.3b1 is also windows. Authentication is via Active Directory.

I have installed the sasl in my Openfire 3.3.1 on windows server. I think it is configured correctly, but I still can not login via SSO. Regular login methods still work fine. The users all use spark on windows, and the server is also on windows. I am at a loss here. This is my new openfire.xml:

</FAMILY><GIVEN></GIVEN><MIDDLE/></N>

</N>

<EMAIL>

</EMAIL>

<ADR>

<HOME/>

</ADR>

<TEL>

<HOME/>

</TEL>

<TEL>

<HOME/>

<CELL/>

</TEL>

<TEL>

<WORK/>

<FAX/>

</TEL>

<TEL>

<WORK/>

<ORG>

</ORG>

</vCard>]]></vcard-mapping>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<groupSearchFilter>(objectClass=group)</groupSearchFilter>

</ldap>

<vcard>

<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className>

</vcard>

<user>

<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className>

</user>

<auth>

<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className>

</auth>

<group>

<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className>

</group>

<classList>org.jivesoftware.openfire.sasl.StrictAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationPolicy</classList>

</authorization>

</provider>

<log>

<debug>

</debug>

</log>

</jive>

Like (0)

sixthring
3,828 posts since
Apr 2, 2007

Currently Being Moderated

May 17, 2007 5:54 AM (in response to sixthring)
Re: SSO with Openfire 3.3.1 and spark 2.5.3b1

This is my openfire error log:

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2007.05.17 07:37:10 [org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvi der.java:679) ]
java.lang.NullPointerException
at org.jivesoftware.openfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvid er.java:670) at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.jav a:99) at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:184) at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(Gro upCollection.java:102) at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupColle ction.java:65) at org.jivesoftware.openfire.roster.RosterManager.hasMutualVisibility(RosterManage r.java:862) at org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:132) at org.jivesoftware.openfire.roster.RosterManager.getRoster(RosterManager.java:92) at org.jivesoftware.openfire.handler.PresenceUpdateHandler.broadcastUpdate(Presenc eUpdateHandler.java:257) at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateH andler.java:100) at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateH andler.java:88) at org.jivesoftware.openfire.handler.PresenceUpdateHandler.process(PresenceUpdateH andler.java:151) at org.jivesoftware.openfire.PresenceRouter.handle(PresenceRouter.java:123) at org.jivesoftware.openfire.PresenceRouter.route(PresenceRouter.java:69) at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:75) at org.jivesoftware.openfire.net.StanzaHandler.processPresence(StanzaHandler.java: 306) at org.jivesoftware.openfire.net.ClientStanzaHandler.processPresence(ClientStanzaH andler.java:85) at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:231) at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:153) at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132) at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Report Abuse

Like (0)
sixthring
3,828 posts since
Apr 2, 2007

Currently Being Moderated

May 17, 2007 5:59 AM (in response to sixthring)
Re: SSO with Openfire 3.3.1 and spark 2.5.3b1

This is the openfire debug log when spark trys to connect with SSO:

2007.05.17 08:54:43 Trying to find a user''s DN based on their username. sAMAccountName: johnd, Base DN: OU=accounts,DC=ad,DC=*********,DC=com...
2007.05.17 08:54:43 Creating a DirContext in LdapManager.getContext()...
2007.05.17 08:54:43 Created hashtable with context values, attempting to create context...
2007.05.17 08:54:43 ... context created successfully, returning.
2007.05.17 08:54:43 Starting LDAP search...
2007.05.17 08:54:43 ... search finished
2007.05.17 08:54:43 In LdapManager.checkAuthentication(userDN, password), userDN is: CN="John Doe",OU="IS",OU="Users"...
2007.05.17 08:54:43 Created context values, attempting to create context...
2007.05.17 08:54:43 Caught a naming exception when creating InitialContext
javax.naming.AuthenticationException: Re: SSO with Openfire 3.3.1 and spark 2.5.3b1
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at org.jivesoftware.openfire.ldap.LdapManager.checkAuthentication(LdapManager.java :456) at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:98) at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:149) at org.jivesoftware.openfire.net.SASLAuthentication.doPlainAuthentication(SASLAuth entication.java:444) at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :202) at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141) at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132) at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Report Abuse

Like (0)
sixthring
3,828 posts since
Apr 2, 2007

Currently Being Moderated

Jun 1, 2007 1:06 PM (in response to sixthring)
Re: SSO with Openfire 3.3.1 and spark 2.5.3b1

I am now using spark 2.5.3 final release and still can not get SSO to work with the Openfire server. To recap all our components are:

Spark 2.5.3 for windows
Openfire 3.3.1 on windows XP pro

Any help would be appreciated. If a step by step is available even better.

Report Abuse

Like (0)
- slushpupie
  776 posts since
  Jan 27, 2006
  
  Currently Being Moderated
  
  Jun 1, 2007 1:30 PM (in response to sixthring)
  Re: SSO with Openfire 3.3.1 and spark 2.5.3b1
  
  SSO is very new to Spark, and though its been in Openfire for a while now it was implemented with Unix in mind. That said, it does work on WIndows, but there is no step-by-step guide that will work for everyone. But this might come close:
  
  http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos
  
  It ties together some documentation I wrote with the experiences a few others have had.
  
  But off the bat here are a few tips for you:
  
  Install the Windows Resource Kit to get the klist.exe command. That will help you debug problems.
  
  Your realm looks odd to me. Maybe you are just obscuring it, but generally the realm is based off some DNS entry, and will have one or more dots in it. Thats not an absolute rule, though.
  
  In the mechs list, you need GSSAPI, not NTLM. The support in Spark and Openfire is for GSSAPI. There is a third-party patch for Openfire that will do NTLM, but thats a whole separate thing.
  
  Debugging can get really messy with this. Sometimes the easist way to do it is to disable all SSL and use tcpdump (or WinDump, or some other TCP packet capture tool) and watch the exchange.
  
  Report Abuse
  
  Like (0)
  - slushpupie
    776 posts since
    Jan 27, 2006
    
    Currently Being Moderated
    
    Jun 1, 2007 1:34 PM (in response to slushpupie)
    Re: SSO with Openfire 3.3.1 and spark 2.5.3b1
    
    Oh- one other thing. The provider names change from 3.3.0 to 3.3.1. Change
    
    org.jivesoftware.openfire.sasl.StrictAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationPolicy
    
    to
    
    org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationPolicy
    
    These will change again in the future, as the logic behind them in the current versions is not very good.
    
    Report Abuse
    
    Like (0)
  - Calculating status...
    ishmell
    12 posts since
    Nov 15, 2006
    
    Currently Being Moderated
    
    Jun 16, 2007 6:08 PM (in response to slushpupie)
    Re: SSO with Openfire 3.3.1 and spark 2.5.3b1
    
    Hi SP... we''ve got a strange problem with SSO and can''t seem to get it to work... except for one user account on one box. It seems I can only get SSO to work when I log onto the Openfire server itself as jadmin (jadmin is both a domain administrator and an Openfire administrator account). When I log into the Openfire server desktop and launch Spark 2.5.3 with SSO, it works. However, when I log onto any other box (workstation, other servers) using the jadmin domain administrator account, SSO does not work. I''m thinking there is something seriously wrong with my setup. Might it have something to do with the fact my JIDs are user@mydomain.com while my internal fqdn is different?
    
    I''ve read the following posts and tried to understand them as best as I could:
    http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos
    http://www.igniterealtime.org/forum/thread.jspa?threadID=26606&tstart=375
    http://www.igniterealtime.org/forum/thread.jspa?messageID=148242&#148242
    
    I am not using the startup BAT files referenced in one of the posts, should I be? I''m also not sure if I need SRV records or how to go about ensuring they are correct.
    
    Here''s our setup:
    
        - Openfire 3.3.1 on Windows Server 2003 SP2 domain member, host name: jhost.mydomain.NET
        - Openfire configured Server Name: jabber.mydomain.COM
        - Spark 2.5.3 client on Windows Server 2003 SP2 Terminal Server (domain member)
        - Openfire using LDAP to Active Directory
        - Openfire running as Windows service under domain account: mydomain.net\openfire
        - Openfire host server and all client machines have JRE 6 installed with JCE
        - Created keytab file using ktpass util, version 5.2.3790.3959:
    
    ktpass -princ xmpp/jhost.mydomain.net@MYDOMAIN.NET -mapuser openfire@mydomain.net -pass xxxxxxxx -out jabber.keytab
    
        - Is the WARNING and KRB5_NT_UNKNOWN normal ? :
    
    Targeting domain controller: kdcserv.mydomain.net
    Using legacy password setting method
    Successfully mapped xmpp/jhost.mydomain.net to openfire.
    WARNING: pType and account type do not match. This might cause problems.
    Key created.
    Output keytab to jabber.keytab:
    Keytab version: 0x502
    keysize 81 xmpp/jhost.mydomain.net@MYDOMAIN.NET ptype 0 (KRB5_NT_UNKNOWN) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0x16e4e111f29a8fa04d8bf546fafe5919)
    
        - When I run "klist tickets" I see (not xmpp/jhost.mydomain.net ?):
    
          Server: host/jhost.mydomain.net@MYDOMAIN.NET
          KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
          End Time: 6/17/2007 3:16:13
          Renew Time: 6/17/2007 3:16:13
    
        - Created PTR record for jhost.mydomain.net in DNS
        - Set "openfire" domain account to "User cannot change password"
        - Set "openfire" to enable "Password never expires"
        - Set "openfire" to enable "Use DES encryption types for this account"
        - Set "openfire" delegation to "Trust this user for delegation to any service (Kerberos only)"
        - After running ktpass, "openfire" account "User logon name" was set to: xmpp/jhost.mydomain.net
        - I checked NTFS file perms for "openfire" domain account access to jabber.keytab file on Openfire host and they''re good
        - I updated the regsitry on the spark terminal server: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters allowtgtsessionkey (1)
        - Here is my gss.conf file:
    
    com.sun.security.jgss.accept {
        com.sun.security.auth.module.Krb5LoginModule
        required
        storeKey=true
        keyTab="C:/Program Files/Openfire/conf/jabber.keytab"
        doNotPrompt=true
        useKeyTab=true
        realm="MYDOMAIN.NET"
        principal="xmpp/jhost.mydomain.net@MYDOMAIN.NET"
        debug=true;
    };
    
        - I added the
    
        - And still, I can use SSO with the jadmin user account if I log directly into the host running Openfire and launch spark from there. Oddly enough though, SSo does not work on the same host using a typical domain user account.
    
        - On any host I can still log in with jadmin or any standard domain user by using spark and standard username/password entry.
    
    Report Abuse
    
    Like (0)
    - slushpupie
      776 posts since
      Jan 27, 2006
      
      Currently Being Moderated
      
      Jun 17, 2007 9:01 AM (in response to ishmell)
      Re: SSO with Openfire 3.3.1 and spark 2.5.3b1
      
      ishmell,
      
      Please post a new thread with your question.
      
      Report Abuse
      
      Like (0)

Go to original post

May 17, 2007 5:42 AM

SSO with Openfire 3.3.1 and spark 2.5.3b1

Actions

More Like This

Bookmarked By (0)