Openfire 4.0.1 SSO - again

Hello.

Problem: In Pidgin (did a test install of Spark, isn’t working either) debug I get the following error when I try to connect my user to Openfire Server.

(10:01:38) certificate: Successfully verified certificate for “openfire-server”

(10:01:38) jabber: Sending (ssl) (user@domain.local): <stream:stream to=‘domain.local’ xmlns=‘jabber:client’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’>

(10:01:38) jabber: Recv (ssl)(456): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“openfire-server” id=“6e50wbz30s” xml:lang=“en” version=“1.0”>stream:featuresGSSAPI</mechani sms>zlib</stream:features>

(10:01:38) sasl: Mechs found: GSSAPI

(10:02:05) sasl: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

(10:02:05) sasl: sasl_state is -1, failing the mech and trying again

(10:02:05) sasl: Mechs found:

I got a Windows Server 2012 environment, a working openfire server (without sso ofc) on “openfire-server”, and Windows/Mac clients.

What I already did:

First instruction: HOWTO: SSO Configuration for Windows (Server and Clients) and Mac Clients

Second instruction: How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Third instruction: 28 Steps to Single Sign On for Openfire XMPP Server on Windows Server 2012 R2 with Spark

The last one brought me from the error “not authorized” to the above mentioned.

On the client I did the registry entry, copied the krb5.ini, installed java 8 101 and MIT Kerberos for Windows 3.2.2, rebooted.

Thanks for any advice…

sso can be a little tricky. things are case sensitive, so I’d start there. here is a doc I wrote up a while ago, and reference each time I set up SSO.

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

So, I got a little further.

(16:31:28) account: Connecting to account user@domain.local/.

(16:31:28) connection: Connecting. gc = 04CE06A8

(16:31:28) dnsquery: Performing DNS lookup for “openfire-server”

(16:31:28) dnsquery: IP resolved for “openfire-server”

(16:31:28) proxy: Attempting connection to “openfire-server-ip”

(16:31:28) proxy: Connecting to openfire-server:5222 with no proxy

(16:31:28) proxy: Connection in progress

(16:31:28) proxy: Connecting to openfire-server:5222.

(16:31:28) proxy: Connected to openfire-server:5222.

(16:31:28) jabber: Sending (user@domain.local): <?xml version='1.0' ?>

(16:31:28) jabber: Sending (user@domain.local): <stream:stream to=‘domain.local’ xmlns=‘jabber:client’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’>

(16:31:28) jabber: Recv (184): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“openfire-server” id=“99xg9xlypw” xml:lang=“en” version=“1.0”>

(16:31:28) jabber: Recv (333): stream:featuresGSSAPI</mechani sms>zlib</stream:features>

(16:31:28) jabber: Sending (user@domain.local):

(16:31:28) jabber: Recv (50):

(16:31:28) nss: SSL version 3.3 using 128-bit AES-GCM with 128-bit AEAD MAC

Server Auth: 2048-bit RSA, Key Exchange: 256-bit ECDHE, Compression: NULL

Cipher Suite Name: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

(16:31:28) nss: subject=CN=“openfire-server” issuer=CN=“openfire-server”

(16:31:28) certificate/x509/tls_cached: Starting verify for “openfire-server”

(16:31:28) certificate/x509/tls_cached: Checking for cached cert…

(16:31:28) certificate/x509/tls_cached: …Found cached cert

(16:31:28) nss/x509: Loading certificate from C:\Users\user\AppData\Roaming.purple\certificates\x509\tls_peers"openfire-ser ver"

(16:31:28) certificate/x509/tls_cached: Peer cert matched cached

(16:31:28) nss/x509: Exporting certificate to C:\Users\user\AppData\Roaming.purple\certificates\x509\tls_peers"openfire-ser ver"

(16:31:28) util: Writing file C:\Users\user\AppData\Roaming.purple\certificates\x509\tls_peers"openfire-ser ver"

(16:31:28) nss: Trusting CN=“openfire-server”

(16:31:28) certificate: Successfully verified certificate for “openfire-server”

(16:31:28) jabber: Sending (ssl) (user@domain.local): <stream:stream to=‘domain.local’ xmlns=‘jabber:client’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’>

(16:31:28) jabber: Recv (ssl)(456): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“openfire-server” id=“99xg9xlypw” xml:lang=“en” version=“1.0”>stream:featuresGSSAPI</mechani sms>zlib</stream:features>

(16:31:28) sasl: Mechs found: GSSAPI

(16:31:28) jabber: Sending (ssl) (user@domain.local): password removed

(16:31:28) connection: Connection error on 04CE06A8 (reason: 0 description: Der Server hat die Verbindung beendet)

(16:31:28) account: Disconnecting account user@domain.local/ (021D9178)

(16:31:28) connection: Disconnecting connection 04CE06A8

(16:31:28) jabber: Sending (ssl) (user@domain.local): </stream:stream>

(16:31:28) connection: Destroying connection 04CE06A8

(16:31:34) util: Writing file accounts.xml to directory C:\Users\user\AppData\Roaming.purple

(16:31:34) util: Writing file C:\Users\user\AppData\Roaming.purple\accounts.xml

its hard to tell where its failing with the information you provided. Spark may provide more insight as well. can you try sso with spark and post the error and warn logs please?

Unfortunately Spark isn’t writing anything in the error Logfile. The only information I get out of the programm is in the debug window:

that error is usually caused because your xmpp domain and SPN not matching. check that, and recreate your keytab file.

Done, new error in Pidgin debug:

(15:33:52) sasl: Mechs found: GSSAPI

(15:33:59) sasl: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot find ticket for requested realm)

(15:33:59) sasl: sasl_state is -1, failing the mech and trying again

Same error in spark debug.

Srsly, I don’t think it will work anytime soon… -_-

it will work…it just takes a bit of work. Check your PM