Error to make SSO work

Hey guys, hope you can help me…

I’ve already tried dozens of times to make SSO working in my company but I was unsuccessful all the times.

My scenario is:

Client - Windows 7 32x

DC and Openfire server - Windows Server 2012R2

Spark version - 2.8.1 (last stable available)

Openfire version - 4.0.3

I’ve followed this tutorial to implement the SSO: Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO.pdf - Google Drive

I’ve updated my keytab file using these instructions: SSO (Single Sign On) configuration changes since Spark 2.8.0

When I try to login, I receive this error:

Where should I start the troubleshooting?

The normal authentication works like a charm.

it looks like the guide has a mistake in the krb5.ini file, so I would start there.

under the [default_realms]

it should be

test.com = TEST.COM

.test.com = TEST.COM

You could also try using DNS instead of a krb5.ini file within spark to see if that helps.

Also, here is a guide I wrote up…its not as detailed as the one you referenced though.

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Hi speedy, thank you for your support, but even following your guide from the beginning I was unable to make it work. Where can I check the logs related to that issue? Maybe i can found something there…

Thanks,

Fábio.

you should be able to find the logs in .\Spark\Logs or in %appdata%\Spark\logs

a common mistake is that the SPN should match what you are using as your xmpp.domain . You can find this in your openfire admin console in system properties. Its also labeled Server Name on the Server Information Page after signing into the admin console.

Do mean this highlighted information?

eg.PNG

So i believe you found the problem… I was using the fqdn of the server hosting the openfire installation… I’ll try to setup using the server name fqdn…

yes…that is correct.

and normally, you would want this to be a root domain (ie, igniterealtime.org) or fqdn (ie. xmpp.igniterealtime.org), not a shortname. If you use the root domain, than you’ll need to setup service records.

Also, if you change your xmpp domain, you’ll need to regenerate certificates, and possibly update admin.authorizedJIDs property.

I think I understood.

I have to change the server name to: spark.cce.puc-rio.br for example…

This name is already configured in the DNS, if I nslookup this name, it answers me the IP of the Openfire’s host server.

How do I regenerate the certificates?

To update the server name and admin.authorizedJIDs property, I need to re-run the setup, right?

Thanks,

the server name/xmpp domain is the right part of @ in your JID. You can kind of think of this as being similar to a domain on an email address.

you shouldn’t have to rerun the setup. in system properties, you should be able to find admin.authorizedJIDs. (if its there). If its not, than you should be ok to skip that step.

to regen certs, click the TLS/SSL Certificates tab, and the link that “Manage Store Contents” from there, you can delete and recreate your certs

I’ve had rolled back all the settings and followed you tutorial step-by-step… When I try to login I keep receiving the same error message and I was able to found this entry in the log.

out 24, 2016 10:51:24 AM org.jivesoftware.spark.util.log.Log warning

ADVERTÊNCIA: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1105)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:333)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:867)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1105)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:333)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:867)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 19 more

Whats could be the problem?