Hey,
I have a problem connecting spark (v. 2.7.3) to the Openfire server by SSO.
I tried all the recommendations of these links:
-
[https://community.igniterealtime.org/docs/DOC-1060](https://community.igniterealtime.org/docs/DOC-1060)
-
https://community.spiceworks.com/how_to/13930-openfire-enable-single-sign-on-sso -on-linux
-
[https://community.igniterealtime.org/docs/DOC-1522](https://community.igniterealtime.org/docs/DOC-1522)
-
[https://community.igniterealtime.org/docs/DOC-1060](https://community.igniterealtime.org/docs/DOC-1060)
-
https://community.igniterealtime.org/thread/51154
-
[https://community.igniterealtime.org/docs/DOC-2585](https://community.igniterealtime.org/docs/DOC-2585)
and nothing
My environment is:
KDC (AD) on Windows server 2003
Openfire server on CentOS 7
Hosts wirh Spark Windows XP, 7 , 8.1
My openfire.xml looks lik that:
<?xml version="1.0" encoding="UTF-8"?>
<!–
-
This file stores bootstrap properties needed by Openfire.*
-
Property names must be in the format: “prop.name.is.blah=value”*
-
That will be stored as:*
-
<prop>*
-
<name>*
-
<is>*
-
value*
-
</is>*
-
</name>*
-
</prop>*
-
-
Most properties are stored in the Openfire database. A*
-
property viewer and editor is included in the admin console.*
–>
-
*
- *
-
9090*
-
9091*
-
*
-
pl_PL*
- *
-
*
-
DOMAIN*
-
*
-
*
-
org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy*
-
*
-
true*
My krb5.conf looks like that:
[logging]
-
default = FILE:/var/log/krb5libs.log*
-
kdc = FILE:/var/log/krb5kdc.log*
-
admin_server = FILE:/var/log/kadmind.log*
-
[libdefaults]
-
default_realm = domain*
-
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5*
-
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5*
-
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5*
-
[realms]
domain = {
-
kdc = srv.domain*
-
admin_server = srv.domain*
-
default_domain = domain*
-
}*
-
[domain_realm]
domain = DOMAIN
- .domain = DOMAIN*
My gss.conf in folder /opt/openfire/conf looks like that:
-
com.sun.security.jgss.accept {*
-
com.sun.security.auth.module.Krb5LoginModule*
-
required*
-
storeKey=true*
-
keyTab="/opt/openfire/spark.keytab"*
-
doNotPrompt=true*
-
useKeyTab=true*
-
realm="DOMAIN"*
-
principal="xmpp/srv.domain@DOMAIN"*
-
debug=true*
-
isInitiator=false;*
-
};*
Create on DC spark user, with options “Unable to change password”, “Password never expires” and "Does not
require Kerberos Preauthentication"
For spark create Kerberos XMPP SPN on DC
*setspn -A xmpp/srv.domain@DOMAIN spark *
*setspn -A xmpp/srv.domain spark *
*setspn -A xmpp/srv spark *
For spark create map Kerberos XMPP SPN on DC,
_ktpass -princ xmpp/srv.domain@DOMAIN -mapuser spark@domain -pass * -ptype KRB5_NT_PRINCIPAL _
Create spark.keytab file on DC
_ ktpass -princ xmpp/srv.domain@DOMAIN -mapuser spark@domain -pass * -ptype KRB5_NT_PRINCIPAL -out _
spark.keytab
Copy spar.keytab to srv.domain with openfire server to folder /opt/openfire and change owner and permision
I set on my hosts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1
On the host with Windows XP I have that error in spark logs:
WARNING: Exception in Login:
*SASL authentication failed: *
- – caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid *
credentials provided (Mechanism level: Server not found in Kerberos database (7))]
-
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)*
-
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)*
-
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)*
-
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)*
-
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)*
-
at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)*
-
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)*
-
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)*
-
at java.lang.Thread.run(Unknown Source)*
*Nested Exception: *
*javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided *
(Mechanism level: Server not found in Kerberos database (7))]
-
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)*
-
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)*
-
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)*
-
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)*
-
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)*
-
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)*
-
at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)*
-
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)*
-
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)*
-
at java.lang.Thread.run(Unknown Source)*
*Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database *
(7))
-
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)*
-
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)*
-
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)*
-
… 10 more*
Caused by: KrbException: Server not found in Kerberos database (7)
-
at sun.security.krb5.KrbTgsRep.(Unknown Source)*
-
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)*
-
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)*
-
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)*
-
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)*
-
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)*
-
… 13 more*
Caused by: KrbException: Identifier doesn’t match expected value (906)
-
at sun.security.krb5.internal.KDCRep.init(Unknown Source)*
-
at sun.security.krb5.internal.TGSRep.init(Unknown Source)*
-
at sun.security.krb5.internal.TGSRep.(Unknown Source)*
-
… 19 more*
On the host with Windows 7 nad 8.1 I have that error in spark logs:
AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
*SASL authentication failed: *
-
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]*
-
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)*
-
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)*
-
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)*
-
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)*
-
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)*
-
at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)*
-
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)*
-
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)*
-
at java.lang.Thread.run(Unknown Source)*
*Nested Exception: *
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
-
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)*
-
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)*
-
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)*
-
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)*
-
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)*
-
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)*
-
at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)*
-
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)*
-
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)*
-
at java.lang.Thread.run(Unknown Source)*
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
-
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)*
-
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)*
-
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)*
-
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)*
-
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)*
-
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)*
-
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)*
-
… 10 more*
*Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication *
-
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)*
-
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)*
-
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)*
-
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
-
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)*
-
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)*
-
at java.lang.reflect.Method.invoke(Unknown Source)*
-
at javax.security.auth.login.LoginContext.invoke(Unknown Source)*
-
at javax.security.auth.login.LoginContext.access$000(Unknown Source)*
-
at javax.security.auth.login.LoginContext$4.run(Unknown Source)*
-
at javax.security.auth.login.LoginContext$4.run(Unknown Source)*
-
at java.security.AccessController.doPrivileged(Native Method)*
-
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)*
-
at javax.security.auth.login.LoginContext.login(Unknown Source)*
-
at sun.security.jgss.GSSUtil.login(Unknown Source)*
-
at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)*
-
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)*
-
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)*
-
at java.security.AccessController.doPrivileged(Native Method)*
-
… 17 more*
Please help me with that. I spend last 3 weeks on that and drive me crazy ;-(
Sorry for may bad English, google translator
Regards
Robert