I’m another poor soul who is pulling his hair out over getting SSO to work. We’re running a Windows 2003 AD enviroment. I’ve followed the guides on here. However, I still can’t get SSO to work. I have a funny feeling it is due to what ‘klist’ reports as my realm. Has anyone ever seen this before? Please take a look and give me some new ideas.
Thanks!
-A
How does the realm show up in the GUI tools? (the domain you belong to, etc)
In ADUC, it shows up as ‘corp.zantaz.com’. The NetBIOS name is ‘ZCORP’. I just have a funny feeling that the special character listed on klist is preventing authentication.
sorry, can’t read
Okay, I’ve made quite a bit of headway. Using kinit, I’ve been able to authenticate using the keytab file for my xmpp-openfire account, but using just the password fails. Is this a problem? I’ve tried several different authentication mentiods (RC4-HMAC, DES-CBC-MD5 and DES-CBC-CRC), and they all produce the same results. Further, the only way I can create a successfull keytab is by using the windows ktpass utility on the KDC itself. When I load the resulting xmpp.keytab file into openfire, I get the following in the debug logs when I try to authenticate via SSO…
2008.06.10 15:41:32 ConnectionHandler:
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Any help is appreciated.
is anything getting logged in spark? (installdir)\logs\ or %userprofile%\spark\logs\
Here… I zipped up all logs and config files for both openfire and spark.
Thanks for your time!
aklino-20080611.zip (36087 Bytes)
not sure if this will help or not but in my spark.properties I add the following so I don’t have to use any other krb files for the client.:
ssoAdv=true
ssoEnabled=true
ssoMethod=manual
I get the same error when I specify manual settings in the spark.properties file.
Okay, more headway, but still no luck. I installed Spark on the Openfire server and set the reg key so I can make attempts more easilly. I have also figgured out how to successfully create a ktab keytab file. Using ktpass with the “-pass *” option changes the password in AD to something java won’t ever authenticate against. Regardless, using ktab or ktpass both produces usable keytab files for me.
Now my problem is with Openfire using the keytab. When I try to use SSO, the following shows up in the console of Openfire…
Closing connection due to error while processing message: <auth mechanism=“GSSAPI” xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”>YIIFIAYJKoZIhvcSAQICAQBuggUPMIIFC6A DAgEFoQMCAQ6iBwMFAAAAAACjggQzYYIELzCCBCugAwIBBaERGw9DT1JQLlpBTlRBWi5DT02iLTAroAM CAQChJDAiGwR4bXBwGxpwbGUtamFiYmVyLmNvcnAuemFudGF6LmNvbaOCAAwggPcoAMCARehAwIBA6KCA84EggPKGvS35aRUPyzGpIKnjAJlqxBgxL5srDZbQzx8UD8R7CxpRfgbLWn/KaSFcSQDvL7guH4R/Deqj76u5LY11j0D4WkC/qQ12LqAr8Vg1zMx6nyr2eK9WOdySG8G0VvAT2LlLC2S/6dWtDfCzgKy2/WUMVtJ7M5URT7BD SfCaeVhcXo6hOMGgWnb8vOqXHPEY2VdIdcpbcT2EwJ8TOwfa66cxoKroXtq9kynzHJAL/n/HUXdzOUapPNQhftSrXplCK7hK3IDn4CW8pHbPr vSbIPw6Ck4N/y/vTSGwCgRAYvhQKdA30Ds8i0Y90QgY3fLgQbnQHOD9KmEyvY4ypuLYCZAWwjSwYGtdF Tza6Yq0jH9InWuwdCyovYF3c16CWGDlu4jiGkuT5gYjWzWgFLXyrsDwvUWYN7HFu/YdCwNQl5M/Yk9NAplfyTd18T4nTpDFenqthH/4UqYX/FAalQazZRhG5jiovdIvhZwxetmQsFHtEkpVBb/Ym9dPFk9aIxRFgmRSw5MICW91Ns7uh2xuPnBeEh3DkM8UIvwTuwrIjFMKwhIKtTOPzPErvEmcZIAjqoB7t72Rqk25gUdpfNtIgsoPn AsOhLPzPYtjTxkjntr3l6YWwqXtCm2XdszFwVr1A5E94fe24Bx/B1lj9OE2OuennF0LO8bB6uYXNXFCH 8QuBbzI2s6MidGhkg01Gk4l1uRtsC3LpJgaTDjReDKjQxMKHptSLx5DjlABP9HPFefIt3Vxa9yJEBO0yiYxw5teO2Ju0Mohp9YL9 kFxV0If24j6sfvYHZ9s0ApqizzU41WwoGeWy3Zvzx4eqAzQPcs1FSYSgrQCbn8Wiz9DWGOQySg04iFLv 6c2kYLN4YpFblZAoI1SkhPcsLXcKTm1gd8UyU3HuSZwfewbwaGOvY6mwwyIKnSNTxlrHkzESilil5rrZ5FQClWE qdTrRqYvcjbs8URZkRWHK3XT3JGHBEAnNY7HRhgS02pRy1uW5SiUh4PgkgMesdAbUFaKBkwuphYzf1Lu klNKjzyg/ucwpOY2dXASPAdIPoVfppr9tgqZzHD0Q/RpTMdfUbM/DwsrdBJs9X0n/E4N0owPjUO9rqiIkcJSc3ue17QZ8jR1j8FtImxUv2pVqCrNIOMej9jetXCsI23gxwUAbI29xSiLNumO1Ymkwp9JoI0f2/8y5kYpW/eFtv02JZL0pfZxtRECfSDUccu2UxWnz88CNWFnTUyj045BgU3xj2JOGPdvSqanoODav2Rw0OXfotOMq0Wbg9IYyaSBvjCBu6ADAgEDooGzBIGwBerex0AVlwqteuPrgMqstA74gibo9iq 71E72RTjo3bCx5w7oYbTl1TRno34/5V/pZij0QEWHqAwaILmNZfYFlDyS3GvYXoHmmR7KOXI7MKp2HpwENb3UjJzJkwchNKNBRGN2fMOtanGxkfvmsaljTiclm6A/jXzHiahBecaOtBA7 WSXoGKRxk55gV1AGRxdAQnoXvUl/TTjR7dakgDQfN47Sfmao7EhZKmglvo2x4=</auth>
java.lang.SecurityException: Configuration Error:
Line 0: expected , found
at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at javax.security.auth.login.Configuration$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)
at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)
at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.LoginConfigImpl.<init>(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)
at javax.security.sasl.Sasl.createSaslServer(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :213)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:148)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:133)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:180)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: Configuration Error:
Line 0: expected , found
at com.sun.security.auth.login.ConfigFile.match(Unknown Source)
at com.sun.security.auth.login.ConfigFile.parseLoginEntry(Unknown Source)
at com.sun.security.auth.login.ConfigFile.readConfig(Unknown Source)
at com.sun.security.auth.login.ConfigFile.init(Unknown Source)
at com.sun.security.auth.login.ConfigFile.init(Unknown Source)
… 49 more
I have zipped up all my current configs and new logs in hopes that someone can help me figure this out. I know I have got to be sooo close!
Thanks!
-A
aklino-20080612.zip (10798 Bytes)