OpenFire SSO problems again

Hello,

The history: Long time ago there was Openfire 3.9.3 server with SSO working like charm but decision was made to update it to 3.10. After that SSO stopped working even with rollback to 3.9.3, nothing helps. For some time we have to use manual login. After update to 3.10.3 SSO starts working again, to the last week when i have to restart server. It was simple restart, nothing changed but SSO stops again.

What I tried:

Server: Windows Server 2008 R2, Openfire 4.0.1.

Clients: Windows 7-10 Pro, Miranda-NG (Spark only for tests)

Miranda log:

Openfire Info log:org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. GSS initiate failed

****Openfire Debug log:

org.apache.mina.filter.ssl.SslHandler - Unexpected exception from SSLEngine.closeInbound().    javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?     at sun.security.ssl.Alerts.getSSLException(Unknown Source)     at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)     at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)     at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source)     at org.apache.mina.filter.ssl.SslHandler.destroy(SslHandler.java:204)     at org.apache.mina.filter.ssl.SslFilter.sessionClosed(SslFilter.java:439)     at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextSessionClosed(DefaultIoFilterChain.java:382)     at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$900(DefaultIoFilterChain.java:47)     at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.sessionClosed(DefaultIoFilterChain.java:750)     at org.apache.mina.core.filterchain.IoFilterAdapter.sessionClosed(IoFilterAdapter.java:88)     at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextSessionClosed(DefaultIoFilterChain.java:382)     at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireSessionClosed(DefaultIoFilterChain.java:375)     at org.apache.mina.core.service.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:244)     at org.apache.mina.core.polling.AbstractPollingIoProcessor.removeNow(AbstractPollingIoProcessor.java:600)     at org.apache.mina.core.polling.AbstractPollingIoProcessor.removeSessions(AbstractPollingIoProcessor.java:560)     at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$800(AbstractPollingIoProcessor.java:67)     at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1132)     at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)     at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)     at java.lang.Thread.run(Unknown Source)

gss.conf

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    keyTab="C:/Program Files (x86)/Openfire/resources/jabber.keytab"
    doNotPrompt=true
    useKeyTab=true
  isInitiator=false
    debug=true
    realm="DOMAIN.LOCAL
    principal="xmpp/server.domain.local@DOMAIN.LOCAL";
};

openfire.xml

[...]
  <!-- sasl configuration -->   <sasl>
    <!-- Set this to your Keberos realm name which is usually your AD domain name in all caps. -->
  </sasl>   <authorization>
    <classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList>
  </authorization>

krb5.ini

[libdefaults]
    default_realm = DOMAIN.LOCAL
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
    DOMAIN.LOCAL = {
        kdc = dc.domain.local
  admin_server = dc.domain.local
        default_domain = domain.local
    }
[domain_realms]
    domain.local = DOMAIN.LOCAL
    .domain.local = DOMAIN.LOCAL

this is usually caused by an incorrect principle, dns, or keytab file issue. Also make sure you don’t have more than one SPN setup for your service. this will cause some issue too

Why suddenly stopped working after restart?

For me, everything looks fine:

klist -k “C:\Program Files (x86)\Openfire\resources\jabber.keytab”

Key tab: C:\Program Files (x86)\Openfire\resources\jabber.keytab, 5 entries found.
[1] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
        KVNO: 6
[2] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
        KVNO: 6
[3] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
        KVNO: 6
[4] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
        KVNO: 6
[5] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
        KVNO: 6

nslookup sqlserver.ien.local

Server:  dc.domain.local
Address:  192.168.XXX.XXX
Name:    server.domain.local
Address:  192.168.XXX.XXX

nslookup 192.168.XXX.XXX

Server:  dc.domain.local
Address:  192.168.XXX.XXX
Name:    server.domain.local
Address:  192.168.XXX.XXX

setspn -L xmpp-openfire

CN=xmpp-openfire,[...],DC=domain,DC=local:
        xmpp/server.domain.local
        xmpp/server.domain.local@DOMAIN.LOCAL

did you recently update or change your version of java? are you using DES as your encryption type? If you know how to use wireshark, please use it to capture the kerberos exchange. this will give you additional insight on what could be failing.

Openfire with java JRE integrated always uses it. Version 4.0.1 is with JRE 1.8.0_66. I tried with 1.8_72 and without any java, console always shows 1.8.0_66 Oracle Corporation – Java HotSpot™ Client VM. No DES.

Another test shows that configuration accout and keytab file is correct:

kinit -k -t "c:\Program Files (x86)\Openfire\resources\jabber.keytab" xmpp/server.domain.local
New ticket is stored in cache file C:\... klist
Credentials cache: C:\...
Default principal: xmpp/server.domain.local@DOMAIN.LOCAL, 1 entry found. [1]  Service Principal:  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
     Valid starting:     Feb 10, 2016 08:47:23
     Expires:            Feb 10, 2016 18:47:23

I tried with Wireshark but all i can say: there is communication client-server and server-DC

from jre\bin, can you run klist -e -k keytab.file

and let me know what your output is please

also, does sso work with spark?

Same with Spark.

klist -k -e “c:\Program Files (x86)\Openfire\resources\jabber.keytab”

Key tab: c:\Program Files (x86)\Openfire\resources\jabber.keytab, 5 entries found.
[1] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
         KVNO: 6
         Key type: 1
[2] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
         KVNO: 6
         Key type: 3
[3] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
         KVNO: 6
         Key type: 23
[4] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
         KVNO: 6
         Key type: 18
[5] Service principal: xmpp/server.domain.local@DOMAIN.LOCAL
         KVNO: 6
         Key type: 17

ok…so that looks good. the next thing would be to look at wireshark and look at the kerberos exchanges to see whats going on, and whats being requested.