SSO Spark login non-authorized(401)

Kevin_Esser · January 8, 2016, 2:58pm

Hey guys,

i know this is a common thread in this forum and yes, I nearly read everyone of them, but i can´t find a solution.

Hope you can help me, because im stucked in like hell.

First, sry for this long post.

Here are some posts and things i already tried:

SSO Configuration

Openfire: Overview

SSO problems and a weird REALM

Spark / OpenFire SSO failure

and some more and references from topics etc…

System:

Spark Client on Win7-x64 with jdk/jre1.8.0_66

Openfire on Centos 6.7 with jdk1.8.0

AD on WinServer 2008 R2

The whole Truststructur is on WS2003 and the domain-layer on WS2008 (if necessary to know)

The Spark-Client and the AD-Server are in the same Subnet, the Openfire-Server in another.

Firewall-Rules are already set, so the Openfire-Server can communicate via kerberos to the AD, as well the client can talk to the

Openfire-Server. Only ping does not work (as wanted).

The openfire-server reads the users from AD.

These is the warning from the Spark-Client warn.log:

The errors.log is empty.

This is the output from debug-log "Raw Send Packets:

<stream:stream to=“openfire-server.my.domain” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

AD-User

AD-Computer

This is the output from debug-log “Raw Received Packets”:

<?xml version='1.0' encoding='UTF-8'?>

 <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="**openfire-server.my.domain**" id="7149dd1d" xml:lang="en" version="1.0">

stream:features

GSSAPI

           <compression xmlns="http://jabber.org/features/compress">

zlib

           <auth xmlns="http://jabber.org/features/iq-auth"/>

</stream:features>

<?xml version='1.0' encoding='UTF-8'?>

 <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="**openfire-server.my.domain**" id="7149dd1d" xml:lang="en" version="1.0">

stream:features

GSSAPI

           <compression xmlns="http://jabber.org/features/compress">

zlib

           </compression><auth xmlns="http://jabber.org/features/iq-auth"/>

</stream:features>

AD-User

AD-Computer

And this is the output from the Openfire-Server debug.log:

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslHandler - Session Server6 processing the FINISHED state

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslHandler - Session Server6 is now secured

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslHandler - Session Server6 processing the FINISHED state

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslHandler - Session Server6 is now secured

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Processing the SSL Data

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Message received : HeapBuffer[pos=0 lim=197 cap=512: 17 03 03 00 C0 6B 31 4B 66 A7 6D CC FA 07 6E BB…]

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslHandler - Session Server6 Processing the received message

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Processing the SSL Data

2016.01.08 15:36:41 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 6

Queue : [MESSAGE_RECEIVED, ]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 6

2016.01.08 15:36:41 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 6

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=468 cap=512: 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 27 31…]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 6

2016.01.08 15:36:41 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 6

Queue : [MESSAGE_SENT, ]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 6

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 6

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Message received : HeapBuffer[pos=0 lim=165 cap=256: 17 03 03 00 A0 D9 AE 83 BA 92 27 0E 32 9A 32 70…]

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslHandler - Session Server6 Processing the received message

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Processing the SSL Data

2016.01.08 15:36:41 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 6

Queue : [MESSAGE_RECEIVED, ]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 6

2016.01.08 15:36:41 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 6

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=128 cap=4096: 3C 69 71 20 74 79 70 65 3D 22 72 65 73 75 6C 74…]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 6

2016.01.08 15:36:41 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 6

Queue : [MESSAGE_SENT, ]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 6

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 6

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Message received : HeapBuffer[pos=0 lim=213 cap=256: 17 03 03 00 D0 D2 19 C4 45 C8 CB 2B FB B0 A0 03…]

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslHandler - Session Server6 Processing the received message

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Processing the SSL Data

2016.01.08 15:36:41 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 6

Queue : [MESSAGE_RECEIVED, ]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 6

2016.01.08 15:36:41 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 6

2016.01.08 15:36:41 org.apache.mina.filter.ssl.SslFilter - Session Server6: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=283 cap=4096: 3C 69 71 20 74 79 70 65 3D 22 65 72 72 6F 72 22…]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 6

2016.01.08 15:36:41 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 6

Queue : [MESSAGE_SENT, ]

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 6

2016.01.08 15:36:41 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 6

There is no error as you can see. The information, warning and error log from the server are empty, so no problems there as i can imagine.

My /etc/krb5.conf:

My /opt/openfire/conf/openfire.xml:

The GSSAPI-Configuration are already in the database:

The AD-User for openfire-server “xmpp-openfire” is created and the properties are set as well as the keytab-file is created like it´s mentioned here SSO Configuration .

kinit and klist works on the openfire-server and the spark-client.

Registry-Entry is done for the client, as well as the sso-Configs (i did them manuell).

Spark-Client get the right account for the User for SSO,… so works well until here.

Did i missed something???

Does anyone have an idea, where the mistake/error is in my configuration so this damn SSO does work?

I should mentioned that normal login via password works well, like always. This was never a problem right

I really could need help

speedy · January 8, 2016, 4:34pm

take a look at this guide I wrote up a while ago. For linux, all you really have to do is change a few paths. Let me know if you run into any problems

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Kevin_Esser · January 11, 2016, 10:46am

Hey speedy,

thx for the reply, but i already tried this one, too.

Did it again, but still the same errors as mentioned above.

Don´t know what i´m doing wrong.

speedy · January 11, 2016, 7:56pm

its hard to say whats going on. wireshark might give you more insite, but usually I find that most people have a problem with creating the keytab.

Kevin_Esser · January 12, 2016, 9:58am

The communication with the openfire-server works fine, but if i try to login to the spark client,

there is no communication between the openfire-server (centos) and the AD.

I don´t know why, there must be a config-error, aren´t?

PS: Where is the problem, if i can´t get an “kinit”-ticket for my “xmpp-openfire” User? I get always this error message, but the password is correct:

“kinit: Password incorrect while getting initial credentials”

Edit:

I tried to get that kinit-ticket of the xmpp-openfire User over my windows client. I get this error:

Exception: krb_error 0 Illegal config content:MY.DOMAIN { No error

KrbException: Illegal config content:MY.DOMAIN {

    at sun.security.krb5.Config.parseStanzaTable(Config.java:634)

    at sun.security.krb5.Config.<init>(Config.java:197)

    at sun.security.krb5.Config.getInstance(Config.java:98)

    at sun.security.krb5.KdcComm.send(KdcComm.java:208)

    at sun.security.krb5.KdcComm.send(KdcComm.java:200)

    at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)

    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)

    at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)

    at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

Is that normal because of the changed login-information via “setspn” command?

Solved to get kinit works for my xmpp/openfire-server.my.domain@MY.DOMAIN using the xmpp.keytab. just needed to use the full path.

Another question im asking myself is, is the krb5.conf on my client the same as on the server?
So, are they connecting to the same host or is the krb5.conf on the client changed, so he will ask the openfire server and the server should ask the AD? (which wont work for me)

Kevin_Esser · January 14, 2016, 1:40pm

OK, i don´t know exactly how, but i managed to connect the client probably to the openfire-server,

but know i got an connection time out during login.

I wiresharked the connection from the client to the server and from the server to the AD and it looks like the

openfire-server doesn´t communicate with my AD. If i try “kinit” on the openfire-server it works well, but on the client it doesn´t work anymore and i get an recieve-error.

this is my client krb5.ini:

and this my openfire-server krb5.conf:

Is my krb5.conf on the server wrong or on the client?

speedy · January 14, 2016, 3:45pm

right off the bat, i noticed your client krb5.ini looks wrong.

your kdc and admin kdc under realms should point to your domain controller and not your openfire server.

Kevin_Esser · January 14, 2016, 3:53pm

Ok, im at the step like before…

speedy · January 14, 2016, 4:24pm

whats your gss.conf file look like?

Kevin_Esser · January 15, 2016, 8:24am

Here is my gss.conf:

Damn… i recreated the keytab file and got the “Server not found in Kerberos database” error again.

edit 11:05:

omg… can´t get back and still got his error. Even as i backuped the xmpp.keytab and changed them the error is still there.

That error is very annoying. How can i get rid off this?

Wireshark-grep of the login.

Kevin_Esser · January 15, 2016, 11:43am

Looks like i got it… seems the computer-account on the dc hat some spn-links for xmpp, too, so there was a mismatch during login, but im not sure.

SSO works, but i will redo everything with a new server and will tell you, if it works.

Donati · January 18, 2016, 10:24am

Hi Kevin,

Can you be more precise about what to do on the DC ? I have exactly the same issue as yours.

Regards

Kevin_Esser · January 18, 2016, 1:52pm

Ok, i rebuild it and it works. Finally

My Environment:

openfire-server running on CentOS 6 under “daemon”
Spark Client installed on Windows 7 x64
AD based on Windows Server 2008

Here are the steps i did:

Install Openfire v.4.0.0 via “openfire-4.0.0-1.i386.rpm”
install jdk 8u66 via “jdk-8u66-linux-x64.rpm”
removed /openfire/jre folger recursive and replaced it by the jdk-jre
cp -R /usr/java/jdk1.8.0_66/jre/ /openfire/jre
changed ownership and read-write permissions of the new jre-folder to the “daemon” (“daemon” is the user my openfire runs with)

(- generally, if you don´t know witch permissions your files need, you can give them “755”, but be careful, this means everyone can read, write and delete this file!!)

starting openfire-service -> service openfire start (if not starting, see /openfire/logs/nohup.out)
run setup on webgui
give host the correct domain-name
connect to my AD via read-only user
set group-filter
set DN-Base search filter
allow connection via ssl (is not needed but i´m not sure)

tested if works
create a mysql-instance on my server via “mysql-server” and “mysql” <- You must create a database and an user with the permissions on that database
connect the installation to the mysql-db (+ testing)
edit vcard to the needed informations (individual)
added administrator based on active directory user (must be catched by Base-search filter and group-filter and ldap-search filter)
connection to Admin-Webgui to see if everything works fine until now
stopping openfire-service (“service openfire stop”)
creating gss.conf and changed ownership and read-write permissions on the file itself

changed keytab to “/opt/openfire/resources/xmpp.keytab”
changed realm to my domain name uppercase
changed principal to “xmpp/@”
added “isInitiator=false;” and removed the simikolon behind “debug=true”.
edited /etc/krb5.conf on the openfire-server:

edited /openfire/conf/openfire.xml:
added this:

changed stream management to “false”:
connecting to my AD
create read-only user (if you already have on, skip this setp)
editing user and set “Unable to change password”, “Password never expires” and “Does not require Kerberos Preauthentication”
open Command Line (cmd)
"setspn -A xmpp/@ -U " -> message: object updated
“ktpass -princ xmpp/@ -mapuser @<your.domain> -pass * -ptype KRB5_NT_PRINCIPAL -out Desktop/xmpp.keytab” -> asking for the password of , twice -> message: Key created
moving xmpp.keytab to your resource-folder (or the folder you choosed in your gss.conf)
changing ownership and read-write permissions to the user openfire runs with (for me “daemon”)
connecting to your openfire-database (mysql) and set property “ldap.searchFilter” (attention!!! you can destroy your login with that. iif you don´t know what you are doing, don´t change it)
running openfire service
added a registry-key to the Windows Client.

install Spark-Client on windows 7
Changing settings to the openfire-server and activate SSO via DNS (only works if your DNS is properly set), accept setting-changes
“Username” and “Account” should be set automaticly, else something is wrong with your DNS-resolution
check your firewall-settings and everything else and try to login

If it works, your as far as i am with SSO working properly.

If there are still problems, try to post your Spark-Warning /Error logs and activate the debug log on your openfire server, i´ll try to help.

Hopefully this helps you @Donati

Donati · January 18, 2016, 3:32pm

Thank you for your help but It still doesn’t work…

A few things :

my domain is RECTORAT14.LOCAL
the dc is *SBRECT *(Windows 2008R2)
the openfire server is appliaca2.in.ac-caen.fr (CentOS7)

I followed your tips and everything I saw on tutos, I can login with spark entering my password but not with SSO, even if it shows my actual username HEDONATI@RECTORAT14.LOCAL

My desktop is Windows 7

The xmpp.keytab copied from DC seems to be OK on my openfire server :

[root@appliaca2 logs]# kinit -V -k -t /opt/openfire/resources/xmpp.keytab xmpp/appliaca2.in.ac-caen.fr

Using existing cache: persistent:0:0

Using principal: xmpp/appliaca2.in.ac-caen.fr@RECTORAT14.LOCAL

Using keytab: /opt/openfire/resources/xmpp.keytab

Authenticated to Kerberos v5

Here is the spark error.log :

janv. 18, 2016 3:58:26 PM org.jivesoftware.spark.util.log.Log warning

AVERTISSEMENT: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1105)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:333)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:867)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1105)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:333)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:867)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 19 more

Matching lines in debug.log on openfire server :

2016.01.18 15:58:25 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event SESSION_OPENED to session 2

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Firing a SESSION_OPENED event for session 2

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Event SESSION_OPENED has been fired for session 2

2016.01.18 15:58:25 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 2

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 2

2016.01.18 15:58:25 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 2

2016.01.18 15:58:25 org.jivesoftware.util.XMLProperties - JiveGlobals: Deleting duplicate XML property ‘sasl.mechs’ that is already in database.

2016.01.18 15:58:25 org.jivesoftware.util.XMLProperties - JiveGlobals: Deleting duplicate XML property ‘sasl.gssapi.debug’ that is already in database.

2016.01.18 15:58:25 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 2

2016.01.18 15:58:25 org.jivesoftware.util.XMLProperties - JiveGlobals: Deleting duplicate XML property ‘sasl.gssapi.config’ that is already in database.

2016.01.18 15:58:25 org.jivesoftware.util.XMLProperties - JiveGlobals: Deleting duplicate XML property ‘sasl.gssapi.useSubjectCredsOnly’ that is already in database.

2016.01.18 15:58:25 org.jivesoftware.openfire.net.SASLAuthentication - SASLAuthentication: Added GSSAPI to mech list

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 2

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 2

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 2

2016.01.18 15:58:25 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 2

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 2

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 2

2016.01.18 15:58:25 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 2

2016.01.18 15:58:25 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 2

2016.01.18 15:58:25 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 2

2016.01.18 15:58:25 org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Constructed trust manager. Number of trusted issuers: 163, accepts self-signed: false, checks validity: true

2016.01.18 15:58:25 org.apache.mina.filter.ssl.SslFilter - Adding the SSL Filter tls to the chain

2016.01.18 15:58:25 org.apache.mina.filter.ssl.SslHandler - Session Server[2](no sslEngine) Initializing the SSL Handler

2016.01.18 15:58:25 org.apache.mina.filter.ssl.SslHandler - Session Server[2](no sslEngine) SSL Handler Initialization done.

2016.01.18 15:58:25 org.apache.mina.filter.ssl.SslFilter - Session Server2 : Starting the first handshake