Openfire+Spark+SSO not worked

Spark Spark Support
1

Hey,

I have a problem connecting spark (v. 2.7.3) to the Openfire server by SSO.

I tried all the recommendations of these links:

  1. [https://community.igniterealtime.org/docs/DOC-1060](https://community.igniterealtime.org/docs/DOC-1060)

  2. https://community.spiceworks.com/how_to/13930-openfire-enable-single-sign-on-sso -on-linux

  3. [https://community.igniterealtime.org/docs/DOC-1522](https://community.igniterealtime.org/docs/DOC-1522)

  4. [https://community.igniterealtime.org/docs/DOC-1060](https://community.igniterealtime.org/docs/DOC-1060)

  5. https://community.igniterealtime.org/thread/51154

  6. [https://community.igniterealtime.org/docs/DOC-2585](https://community.igniterealtime.org/docs/DOC-2585)

and nothing :frowning:

My environment is:

KDC (AD) on Windows server 2003

Openfire server on CentOS 7

Hosts wirh Spark Windows XP, 7 , 8.1

My openfire.xml looks lik that:

<?xml version="1.0" encoding="UTF-8"?>

<!–

  • This file stores bootstrap properties needed by Openfire.*

  • Property names must be in the format: “prop.name.is.blah=value”*

  • That will be stored as:*

  •    <prop>*

  •        <name>*

  •            <is>*

  • value*

  •            </is>*

  •        </name>*

  •    </prop>*

  • Most properties are stored in the Openfire database. A*

  • property viewer and editor is included in the admin console.*

–>

  • *

  • *

  • 9090*

  • 9091*

  • *

  • pl_PL*

  • *

  • *

  • DOMAIN*

  • *

  • *

  • org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy*

  • *

  • true*

My krb5.conf looks like that:

[logging]

  • default = FILE:/var/log/krb5libs.log*

  • kdc = FILE:/var/log/krb5kdc.log*

  • admin_server = FILE:/var/log/kadmind.log*

[libdefaults]

  • default_realm = domain*

  • default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5*

  • default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5*

  • permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5*

[realms]

domain = {

  • kdc = srv.domain*

  • admin_server = srv.domain*

  • default_domain = domain*

  • }*

[domain_realm]

domain = DOMAIN

  • .domain = DOMAIN*

My gss.conf in folder /opt/openfire/conf looks like that:

  • com.sun.security.jgss.accept {*

  •  com.sun.security.auth.module.Krb5LoginModule*

  •  required*

  •  storeKey=true*

  •  keyTab="/opt/openfire/spark.keytab"*

  •  doNotPrompt=true*

  •  useKeyTab=true*

  •  realm="DOMAIN"*

  •  principal="xmpp/srv.domain@DOMAIN"*

  •  debug=true*

  •  isInitiator=false;*

  • };*

Create on DC spark user, with options “Unable to change password”, “Password never expires” and "Does not

require Kerberos Preauthentication"

For spark create Kerberos XMPP SPN on DC

*setspn -A xmpp/srv.domain@DOMAIN spark *

*setspn -A xmpp/srv.domain spark *

*setspn -A xmpp/srv spark *

For spark create map Kerberos XMPP SPN on DC,

_ktpass -princ xmpp/srv.domain@DOMAIN -mapuser spark@domain -pass * -ptype KRB5_NT_PRINCIPAL _

Create spark.keytab file on DC

_ ktpass -princ xmpp/srv.domain@DOMAIN -mapuser spark@domain -pass * -ptype KRB5_NT_PRINCIPAL -out _

spark.keytab

Copy spar.keytab to srv.domain with openfire server to folder /opt/openfire and change owner and permision

I set on my hosts

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: AllowTGTSessionKey

Value Type: REG_DWORD

Value: 1

On the host with Windows XP I have that error in spark logs:

WARNING: Exception in Login:

*SASL authentication failed: *

  • – caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid *

credentials provided (Mechanism level: Server not found in Kerberos database (7))]

  • at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)*

  • at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)*

  • at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)*

  • at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)*

  • at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)*

  • at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)*

  • at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)*

  • at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)*

  • at java.lang.Thread.run(Unknown Source)*

*Nested Exception: *

*javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided *

(Mechanism level: Server not found in Kerberos database (7))]

  • at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)*

  • at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)*

  • at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)*

  • at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)*

  • at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)*

  • at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)*

  • at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)*

  • at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)*

  • at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)*

  • at java.lang.Thread.run(Unknown Source)*

*Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database *

(7))

  • at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)*

  • at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)*

  • at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)*

  • … 10 more*

Caused by: KrbException: Server not found in Kerberos database (7)

  • at sun.security.krb5.KrbTgsRep.(Unknown Source)*

  • at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)*

  • at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)*

  • at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)*

  • at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)*

  • at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)*

  • … 13 more*

Caused by: KrbException: Identifier doesn’t match expected value (906)

  • at sun.security.krb5.internal.KDCRep.init(Unknown Source)*

  • at sun.security.krb5.internal.TGSRep.init(Unknown Source)*

  • at sun.security.krb5.internal.TGSRep.(Unknown Source)*

  • … 19 more*

On the host with Windows 7 nad 8.1 I have that error in spark logs:

AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

*SASL authentication failed: *

  • – caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]*

  • at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)*

  • at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)*

  • at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)*

  • at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)*

  • at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)*

  • at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)*

  • at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)*

  • at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)*

  • at java.lang.Thread.run(Unknown Source)*

*Nested Exception: *

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

  • at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)*

  • at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)*

  • at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)*

  • at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)*

  • at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)*

  • at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)*

  • at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)*

  • at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)*

  • at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)*

  • at java.lang.Thread.run(Unknown Source)*

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

  • at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)*

  • at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)*

  • at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)*

  • at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)*

  • at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)*

  • at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)*

  • at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)*

  • … 10 more*

*Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication *

  • at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)*

  • at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)*

  • at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)*

  • at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*

  • at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)*

  • at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)*

  • at java.lang.reflect.Method.invoke(Unknown Source)*

  • at javax.security.auth.login.LoginContext.invoke(Unknown Source)*

  • at javax.security.auth.login.LoginContext.access$000(Unknown Source)*

  • at javax.security.auth.login.LoginContext$4.run(Unknown Source)*

  • at javax.security.auth.login.LoginContext$4.run(Unknown Source)*

  • at java.security.AccessController.doPrivileged(Native Method)*

  • at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)*

  • at javax.security.auth.login.LoginContext.login(Unknown Source)*

  • at sun.security.jgss.GSSUtil.login(Unknown Source)*

  • at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)*

  • at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)*

  • at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)*

  • at java.security.AccessController.doPrivileged(Native Method)*

  • … 17 more*

Please help me with that. I spend last 3 weeks on that and drive me crazy ;-(

Sorry for may bad English, google translator :wink:

Regards

Robert

2

try this one

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

3

Thank you for your reply, bat I tried this solution.

4

looking at everything you posted, it doesn’t look like you followed the guide I recommended. Please try again from the beginning. This include deleting and recreating your AD user

5

Now I get this erro:

lis 17, 2015 2:48:44 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication GSSAPI failed: not-authorized:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 342)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

What I do:

  1. Delete old user “spark” and create new user “sparkuser”

  2. Fild xmpp.domain set to DOMAIN (when I have this fild set to “srv,domain” I can’t login to openfire server configuration page with domain user)

  3. Map spn to user “sparkuser” with setspn -A xmpp/domain@DOMAIN sparkuser

  4. Of course create new keytab that I copy to server with openfire

  5. I changed in gss.conf fild principal to “xmpp/domain@DOMAIN”

And I went one step forward or backward? :wink:

Please help.

Regards

Robert

6

what version of java are you running on your openfire server? did you set a xmpp.fqdn property?

7

Java on openfire server is 1.7.0_79 Oracle Corporation – Java HotSpot™ 64-Bit Server VM.

I set xmpp.fqdn to szgap01.srzg .

8

please try this…on the windows 2003 domain controller, reset the password on your “sparkuser”. Don’t change the password though…use the SAME password

9

I reset the password on “sparkuser” (I use the same password) and I got the same error in spark log. Some other ideas?

10

the next thing I might do is try to recreate the keytab using java ktab

If that doesn’t work, then next would dive into wireshark to look at the packets to see whats going on there.

11

Hi,

partially solved the problem. I upgrade openfire server to version 3.10.3, set new spn map to user “sparkuser”:

setspn -A xmpp/srv.domain@DOMAIN sparkuser and setspn -A xmpp/srv.domain sparkuser

and now my spn map to spark user loks like that:

xmpp/srv.domain@DOMAIN

xmpp/srv.domain

xmpp/domain@DOMAIN

xmpp/domain

After that my host whit Windows XP can now login with SSO but my host with Windows 7 and 8 have this error in spark worn log:

org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication

at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

… 17 more

please help

Regards

Robert

12

I have another strange things:

  1. When I login with regulr domain user on host with Windows XP, 7, 8 I can login to spark with SSO.

  2. When I login with admin domain user (I am that user), on Windows XP I can log on bat on Windows 7 and 8 can’t. Whay?

    On Windows 7 and 8 with admin domain user when I log on to spark in fild “Account” I dont have “user@DOMAIN” and spark in SSO option says : spark can not find the general settings for Single Sign-On.

13

that sounds like a uac issue. try running spark “as adminitrator”

14

Yes! Yes! Yes! Yuuupi this work

I run spark on my admin domain user “as administrator” and it’s login.

Thenk You for help.

Now I have one last question, maybe stupit, but can I set in this thread two good answer?

First good answer is link that You send me, second “run as admin”.

Thank you again.

Regards

Robert

15

Our company’s domain users all have limited rights and running Spark with non-elevated rights results in not catching login credentials, hence SSO simply wouldn’t work. We configured Spark to depend on krb5.ini and not DNS config. Running Spark as admin by administrative privileges granted user works, but only that. I couldn’t find an answer here and I noticed some folks have stumbled upon this issue themselves, so after a bit of researching and testing, here is what I came across:

To make Spark run under limited rights and make SSO work, you’ve got to bypass UAC. To do so, you have to create a Scheduled Task which runs once. Please note, path-to-spark-install-dir might be different than the one I post, so edit it according your preferrences. Using Command Prompt:

schtasks /create /tn Spark /tr C:\Spark\Spark.exe /sc ONCE /RL HIGHEST /st 23:00:00

If you have multiple users sharing the same PC, Scheduled Task will have to be updated with /RU switch

Now we need to execute it

Create a shortcut (*.lnk) and insert the following command:

C:\Windows\System32\schtasks.exe /run /tn “Spark”

Run the shortcut and test. I have tested in Windows 8.1/Windows 10 Pro environments, latest Spark client. Computers joined to domain.

Another advice is to install Spark somewhere outside Program Files system folder (for eg. C:\ or another drive) to prevent occurrence of possible UAC issues.

16

you can also create a .vbs script using the following

Set UAC = CreateObject(“Shell.Application”)

UAC.ShellExecute “C:\Program Files (x86)\Spark\spark.exe”, “”, “”, “runas”, 1