WinSRV 2008 R2 + AD 2003 + Openfire 3.9.3 + Spark 2.6.3 - SSO fail

“Do not require Kerberos preauthentication” - should be checked? -No

OK, it’s unchecked now.

How many spns should I create? - 2 will be created

Well, there is obviously smth wrong with my xmpp-user.

I do remember I added 2 records. But ADSI Edit shows there is only 1 spn-record:

snap00006

AND the other one somehow is in UPN:

snap00007

UPD: I get it. UPN changes by ktpass -mapuser

That’s not right, right?

Also I’ve checked the openfire server computer account:

snap00009

Is it OK?

All encrption types BUT DES_CBC_CRC should be checked

OK, it’s done.

I don’t have that in mine…not to say its not needed.

I don’t have that in mine too now. I guess openfire took it to his config and then deleted it.

UPD: Should I use “+DesOnly” key when creating the keytab?

Message was edited by: Alexey

Despite all the configuring SSO still doen’t work.

2014.06.20 12:10:32 org.jivesoftware.openfire.nio.ConnectionHandler - ConnectionHandler reports IOException for session: (SOCKET, R: /10.200.100.116:59394, L: /10.200.100.15:5222, S: 0.0.0.0/0.0.0.0:5222)

java.io.IOException: An existing connection was forcibly closed by the remote host

Also there are such records in the Spark warn.log:

Jun 20, 2014 12:33:36 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

... 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

... 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

... 18 more
1 Like

Did you ever find a solution for this? I’m having the same issue.

make sure you xmpp spn account matches what you have in your gss.conf file

I removed and redid the spn and confirmed that it matches the gss.conf file. I am still unable to uss SSO with spark/openfire.

Openfire log error


2014.07.22 12:33:26 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. GSS initiate failed


Spark log error


Jul 22, 2014 12:33:26 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication GSSAPI failed: not-authorized:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 337)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)


after you doing the spn, you’ll need to recreate the keytab file. Are you using java or windows to create the keytab? if windows, are you running the command on server 2003 or the 2008 box?

1 Like

I did recreate the keytab file using java.

I’ve successfully tested the keytab file with the kinit command after creating it.

what do you get when you run kinit -k -t against your keytab file?

Wow, same time I updated my previous reply. I get nothing when I run that, which means it’s successful, correct?

I just tried your suggestion from Desperately trying to get Windows SSO working with win2k8r2 and Win7 - Spark Support - Ignite Realtime Community Forums of

try creating a new keytab file. use this command on your dc. This keytab file will not pass the kinit java test…so don’t worry about it, however try it in your resource folder anyway.

ktpass -princ xmpp/server.domain.local@DOMAIN.LOCAL -mapuser keytab@domain.local -pass * -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly -out xmpp.keytab

Now my client connects without a problem. Thank you for your help Speedy!

cool!

In my case the problem was solved by:

  • Updaring JRE on Openfire server to SE 7 U60
  • Hosting keytab in the root of the system volume
  • Using Spark 2.7.0.665

And now SSO is working like a charm.

Having an issue with 1 PC. Everyday I come in, it fails to sign with SSO. Getting this error in the spark log

(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication

at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

… 17 more

So far it just seems to be 1 computer having this issue. I can go to another computer and login fine everytime. If I run the following command, it is fixed for the day.

“C:\Program Files (x86)\Java\jre7\bin\kinit” user@REALM.LOCAL

I just have to enter the password for the user after that command. I can log off Spark, restart the computer and still get back into Spark just fine for the day. The next day, I can no longer sign into Spark with SSO and I have to run the command again.

Happening again this morning. Spark’s error.log:

Jul 30, 2014 8:12:43 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1056)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:303)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:835)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1056)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:303)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:835)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication

at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

… 17 more

Spark’s output.log

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

Acquire TGT from Cache

Credentials are no longer valid

Principal is null

null credentials from Ticket Cache

[Krb5LoginModule] authentication failed

Unable to obtain Princpal Name for authentication

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

Acquire TGT from Cache

Credentials are no longer valid

Principal is null

null credentials from Ticket Cache

[Krb5LoginModule] authentication failed

Unable to obtain Princpal Name for authentication

Openfire logs are not showing any entry for the time I try to sign in this morning.

what happens if a different user signs in from this workstation? Same result?

I’ll give that a try tomorrow and let you know. I already fixed it for today.

I signed in this morning and cofirmed that user1 cannot signin to Spark using SSO. Logged user1 out and had user2 login, userto logs in just fine using SSO. Had user2 log off and user1 login again and still cannot login to Spark. Had user1 go to a different computer and login to the computer and then he was able to login to Spark successfully with SSO.

probably an issue with the user1 profile on that pc or a messed up permissions issue on it for that user. A few things to try would be to delete the spark folder for user1 appdata folder. IF that doesn’t work, recreate user1 entire windows profile. If that doesn’t work, then run procmon to see if you run into anything there.

1 Like

Deleting the spark folder in appdata folder did not solve the issue. Recreating the user’s profile on the computer did resolve the issue. I hope it does not do this for anyone else because I am still working on setting up the user’s profile back to how it was.

Thanks for the help again!