We are in the process of moving from a VMWare environment to Hyper-V. On Friday night I moved to Openfire server without any issues, and users used Spark on Saturday without issues.
This morning, I did a couple of updates to the server… openjdk-7-jre was included in the list, which I believe brought it to 7u95 or so. I also upgraded Openfire to V4.0.1 right after.
Now, SSO is broken across the board. I have installed the *latest Spark build on my PC (2.7.5) and that has not helped. I can shut down The Hyper-V machine and Start the VMWare machine (still on 3.9.3) and SSO connects fine, so it has to be something on the Server side.
The error I am getting from Spark is:
[Code]
Feb 08, 2016 11:14:24 AM org.jivesoftware.spark.util.log.Log warning
This server has been running for about a year and a half, and I have done various updates to it (Such as Openfire and Java updates) without breaking SSO in the past. Since this was a major Version change, is there anything else I need to do to get SSO working?
in java 7u80 and above; java disabled des by default. Most of the SSO guides stated to use DES, so its possible that your keytab file was created with DES only. Recreating your keytab file with a stronger encryption type should fix you up. This should point you in the right direction
No go… Looking back at my notes, I believe I did -crypto all. However, I decided to attempt to recreate the keytab file anyway… and now both servers (Hyper-V and VMWare) are broken.
I have even now gone as far as creating a new user in AD, creating a new SPN for this user, and another keytab. Attempting to login from Spark then gave me a whole bunch of interesting errors… which were caused by having duplicate SPN’s. Once I removed the duplicates, I am right back to square one:
Feb 08, 2016 8:43:05 PM org.jivesoftware.spark.util.log.Log warning
if you can run wireshark on your workstation, that will provide some clues too. on the user account used for your keytab, make sure you checked “This Account Supports Kerberos AES 128 bit encryption”
I’m not 100% what happened, but it’s working now. Last night I deleted and recreated my gss.conf file and rebooted the server and client machine (this had to be my 8th or 9th reboot), and everything came back up.
Tested again this morning, and I can see all my users have logged in without issues. I must have had something in the gss.conf file that either corrupted or I mistyped at some point, or just didn’t jive with the new Keytab file… at this point it makes no difference, we’re up and running.
This also gave me a chance to clean up some of my prior setup in the process (I didn’t really like the username I used previously), so I’m kind of glad I had to redo it.
You can use 256 bit encryption, but you’ll need to make sure your have the unlimited strength Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files installed on the clients and server, since the default jre only goes up to 128!