SSO problems (FINALLY WORKING!)

Openfire Openfire Support
1

I have spent two days attempting to get SSO working and its gotten very frustrating so I am hoping someone here can shed some light.

I am running Openfire 3.4.1 on Windows 2003 Server joined to our AD domain with Windows XP SP2 clients running Spark 2.5.8

I have generated my keytab file using the following:

ktpass -princ xmpp/ellington.intranet.com@INTRANET.COM -mapuser "openfireserver@INTRANET.COM" -pass * -ptype KRB5_NT_PRINCIPAL -out ellington.keytab

Got the keytab file with no errors and moved it to the openfire server in the resources folder and generated the gss.conf file as follows:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/PROGRA~2/Openfire/resources/ellington.keytab”

doNotPrompt=true

useKeyTab=true

realm=“INTRANET.COM

principal=“xmpp/ellington.intranet.com@INTRANET.COM”

debug=true;

};

I have modified my openfire.xml as follows:

<!-- sasl configuration -->

<sasl>

<mechs>GSSAPI</mechs>

<realm>INTRANET.COM</realm>

<gssapi>

<debug>true</debug>

<config>C:/PROGRA~2/Openfire/conf/gss.conf</config>

<useSubjectCredsOnly>false</useSubjectCredsOnly>

</gssapi>

</sasl>

<!-- provider configuration -->

<provider>

<user>

<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className&g t;

</user>

<auth>

<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className&g t;

</auth>

<group>

<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className& gt;

</group>

<vcard>

<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className& gt;

</vcard>

<authorization>

<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</cla ssList>

</authorization>

</provider>

I have copied the following krb5.ini file to both client and server in C:\WINDOWS directory:

default_realm = INTRANET.COM

INTRANET.COM = {

kdc = dc2.intranet.com

kdc = dc1.intranet.com

admin_server = dc2.intranet.com

default_domain = intranet.com

}

intranet.com = INTRANET.COM

.intranet.com = INTRANET.COM

I have also made the registry changes on both the XP client and 2003 Server.

I still have failed to connect. I get the following message from Spark:

“Unable to connect using Single Sign-On. Please check your principal and server settings.”

This is whats in my openfire warn.log:

2007.11.20 14:22:44 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :211)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:162)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :240)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:284)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

… 20 more

Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$5.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

… 26 more

Caused by: KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(Unknown Source)

at sun.security.krb5.KrbAsReq.getReply(Unknown Source)

at sun.security.krb5.Credentials.sendASRequest(Unknown Source)

at sun.security.krb5.Credentials.acquireTGT(Unknown Source)

… 42 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.ASRep.init(Unknown Source)

at sun.security.krb5.internal.ASRep.<init>(Unknown Source)

… 46 more

If anybody has any ideas. I am open to them. I have tried EVERYTHING I can think of to make this work. I may be missing something but i have gone through all the documentation and messages I can find on the subject in the forums.

Thank you

Poppa

2

Did you set the xmpp.fqdn property?

3

Yup, xmpp.fqdn is set correctly. After unchecking the kerberos pre-auth requirement setting for the openfire user in AD I get the following error in warn.log: I am not sure what the “Checksum failed” error is refeering to.

2007.11.21 13:09:28 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :211)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:162)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :240)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:284)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

… 20 more

Caused by: javax.security.auth.login.LoginException: Checksum failed

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$5.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

… 26 more

Caused by: KrbException: Checksum failed

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)

at sun.security.krb5.EncryptedData.decrypt(Unknown Source)

at sun.security.krb5.KrbAsRep.<init>(Unknown Source)

at sun.security.krb5.KrbAsReq.getReply(Unknown Source)

at sun.security.krb5.Credentials.sendASRequest(Unknown Source)

at sun.security.krb5.Credentials.acquireTGT(Unknown Source)

… 42 more

Caused by: java.security.GeneralSecurityException: Checksum failed

at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)

at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)

… 49 more

4

I FINALLY got this working.

It took some work and googling… Most of the info in the forums and in FAQ’s are incorrect it seams as of Openfire 3.4.1 and Spark 2.5.8. I got this running on Windows 2003 Server and Windows XP Spark Clients. I plan to tackle Mac OS X Tiger next as we use kerberos to bind our OS X machines and users to AD as well, should work great. If anybody wants the info on how I did this just let me know.

Poppa

5

If information is incorrect, please post what corrections need to be

made and I can update the document. Or if you wish, you may edit the

document as well.

6

Will do. I have started working on a draft and will publish as soon as its finished. I will have to go back through my notes and clean them up for others to understand.

Poppa

7

Posted a new document specifically for Windows as requested. I tried to update the original but the editor was frustrating me by moving things around I had not touched. So I started a new document specifally for Windows.

Poppa Smurf

8

Ok, silly questions time : I have followed your guide on configuring sso, and am left with the same ‘checksum failed’ error - how did you resolve this? any idea what it actually means? kerberos appears to be working, and spark logs in when not using SSO. thanks in advance, I have been working on this for about 18hrs straight it’s driving me mad!! openfire warn log below.

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:173)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
... 21 more
Caused by: javax.security.auth.login.LoginException: Checksum failed
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 27 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
... 43 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)
... 50 more
9

The “Checksum Failed” is an indication of corrupt data on some level, and from the error I would guess its your keytab.

10

I agree with slushpupie, I could be your keytab. I was getting the same error until I used the Java ktab utility to create my keytab file. Did you use the JRE ktab utility that came with the openfire server to create your keytab or did you create it on the Windows server? Also, make sure your krb5.ini file exists on your server and client.

Poppa Smurf

11

Thanks for the help, I was extremely impressed by the software and even more so by the support. I had made the keytab with the java utility:

ktab -k xmpp.keytab -a xmpp/jabber.test-domain.local@TEST-DOMAIN.LOCAL

I recreated it using the same command and still got the same error, so I created one on the KDC using the Win 2k3 util ktpass per the original documentation :

ktpass -princ xmpp/jabber.test-domain.local@TEST-DOMAIN.LOCAL -pass password -mapuser xmpp-openfire -out xmpp.keytab -ptype KRB5_NT_PRINCIPAL

copied it over, restarted the openfire service and everything worked!

Thanks again for the prompt replies - I suspect it would have taken weeks for me to try that without prompting.

Tom

12

Wow thats odd, I never got the keytab to work when creating it with Windows. Hmm. I guess I better update the document to tell people to try both. Glad your up and running though.

Poppa Smurf

13

Wow thats odd, I never got the SSO to work

14

Tip for future readers:

You can test your keytab file, using the following command from the jre\bin directory:

kinit -k -t jabber.keytab xmpp/fqdn_of_openfire_server@AD-DOMAIN “password”

This isolated my setup issue straight away, once I learned of it!

15

@Poppa_Smurf Please share the documents for windows.I am trying to configuring kerberos for our application.I followed the document for keytab and configuration file as well.But I am getting checksum failed issue.Please share your documents preparation for windows its nearly two weeks I am strucking this issue,share the documents its really helpful to us…Thanks in advance.

Anyone can help me to share the documents.

Raja