Unable to logon clients with Openfire 4.1

I updated Openfire this morning from 4.0.4 to 4.1 on Windows 2008 R2 server with Active Directory.

Since the upgrade, no user can logon anymore (using Spark or another client, whatever client version or OS we are using).

We all got the error “Invalid username or password”.

With my credentials (i am an admin), i can log on Openfire admin interface and see all the user accounts from active directory.

Restarting openfire service or the windows server didn’t help.

On Openfire side, i got these entries in the logs :

  • error.log

java.sql.SQLSyntaxErrorException: object name already exists: OFMUCCONVLOG_MSG_ID in statement [ CREATE INDEX ofMucConvLog_msg_id ON ofMucConversationLog (messageID)]

at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)

at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)

at org.hsqldb.jdbc.JDBCPreparedStatement.fetchResult(Unknown Source)

at org.hsqldb.jdbc.JDBCPreparedStatement.execute(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at org.logicalcobwebs.proxool.ProxyStatement.invoke(ProxyStatement.java:100)

at org.logicalcobwebs.proxool.ProxyStatement.intercept(ProxyStatement.java:57)

at $java.sql.PreparedStatement$$EnhancerByProxool$$d81d3b4d.execute()

at org.jivesoftware.database.SchemaManager.executeSQLScript(SchemaManager.java:380 )

at org.jivesoftware.database.SchemaManager.checkSchema(SchemaManager.java:282)

at org.jivesoftware.database.SchemaManager.checkOpenfireSchema(SchemaManager.java: 85)

at org.jivesoftware.database.DbConnectionManager.setConnectionProvider(DbConnectio nManager.java:606)

at org.jivesoftware.database.DbConnectionManager.ensureConnectionProvider(DbConnec tionManager.java:99)

at org.jivesoftware.database.DbConnectionManager.getConnection(DbConnectionManager .java:121)

at org.jivesoftware.util.JiveProperties.loadProperties(JiveProperties.java:357)

at org.jivesoftware.util.JiveProperties.init(JiveProperties.java:88)

at org.jivesoftware.util.JiveProperties.getInstance(JiveProperties.java:66)

at org.jivesoftware.util.JiveGlobals.getProperty(JiveGlobals.java:548)

at org.jivesoftware.util.cache.CacheFactory.(CacheFactory.java:94)

at org.jivesoftware.openfire.XMPPServer.initialize(XMPPServer.java:311)

at org.jivesoftware.openfire.XMPPServer.start(XMPPServer.java:414)

at org.jivesoftware.openfire.XMPPServer.(XMPPServer.java:163)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.openfire.starter.ServerStarter.start(ServerStarter.java:105)

at org.jivesoftware.openfire.starter.ServerStarter.main(ServerStarter.java:56)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:65)

at com.exe4j.runtime.WinLauncher$2.run(WinLauncher.java:96)

Caused by: org.hsqldb.HsqlException: object name already exists: OFMUCCONVLOG_MSG_ID

at org.hsqldb.error.Error.error(Unknown Source)

at org.hsqldb.error.Error.error(Unknown Source)

at org.hsqldb.SchemaObjectSet.checkAdd(Unknown Source)

at org.hsqldb.SchemaManager.checkSchemaObjectNotExists(Unknown Source)

at org.hsqldb.StatementSchema.setOrCheckObjectName(Unknown Source)

at org.hsqldb.StatementSchema.getResult(Unknown Source)

at org.hsqldb.StatementSchema.execute(Unknown Source)

at org.hsqldb.Session.executeCompiledStatement(Unknown Source)

at org.hsqldb.Session.execute(Unknown Source)

… 36 more

  • warning.log

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:273)

at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:44)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoP rocessor.java:690)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPolling IoProcessor.java:664)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPolling IoProcessor.java:653)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPoll ingIoProcessor.java:67)

at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractP ollingIoProcessor.java:1124)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2016.12.28 10:08:35 org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to exception in session: (0x0000000A: nio socket, server, /90.65.144.68:51987 => 0.0.0.0/0.0.0.0:5222)

java.io.IOException: Une connexion existante a dû être fermée par l’hôte distant

at sun.nio.ch.SocketDispatcher.read0(Native Method)

at sun.nio.ch.SocketDispatcher.read(Unknown Source)

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:273)

at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:44)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoP rocessor.java:690)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPolling IoProcessor.java:664)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPolling IoProcessor.java:653)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPoll ingIoProcessor.java:67)

at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractP ollingIoProcessor.java:1124)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2016.12.28 10:08:35 org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to exception in session: (0x00000010: nio socket, server, /90.65.144.68:52024 => 0.0.0.0/0.0.0.0:5222)

java.io.IOException: Une connexion existante a dû être fermée par l’hôte distant

at sun.nio.ch.SocketDispatcher.read0(Native Method)

at sun.nio.ch.SocketDispatcher.read(Unknown Source)

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:273)

at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:44)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoP rocessor.java:690)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPolling IoProcessor.java:664)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPolling IoProcessor.java:653)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPoll ingIoProcessor.java:67)

at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractP ollingIoProcessor.java:1124)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

  • debug.log

Queue : [MESSAGE_RECEIVED, ]

2016.12.28 10:13:03 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 2

2016.12.28 10:13:03 org.apache.mina.filter.ssl.SslFilter - Session Server2: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=198 cap=4096: 3C 69 71 20 74 79 70 65 3D 22 65 72 72 6F 72 22…]

2016.12.28 10:13:03 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 2

Queue : [MESSAGE_SENT, ]

2016.12.28 10:13:33 org.apache.mina.filter.ssl.SslFilter - Session Server2: Message received : HeapBuffer[pos=0 lim=133 cap=256: 17 03 03 00 80 85 12 E8 04 2C 0D 4C BD CC B4 82…]

2016.12.28 10:13:33 org.apache.mina.filter.ssl.SslHandler - Session Server2 Processing the received message

2016.12.28 10:13:33 org.apache.mina.filter.ssl.SslFilter - Session Server2: Processing the SSL Data

2016.12.28 10:13:33 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 2

Queue : [MESSAGE_RECEIVED, ]

2016.12.28 10:13:33 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 2

2016.12.28 10:13:33 org.apache.mina.filter.ssl.SslFilter - Session Server2: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=198 cap=4096: 3C 69 71 20 74 79 70 65 3D 22 65 72 72 6F 72 22…]

2016.12.28 10:13:33 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 2

Queue : [MESSAGE_SENT, ]

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: sessions. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: server_bytes. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: muc_occupants. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: proxyTransferRate. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: conversations. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: muc_traffic. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: packet_count. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: muc_rooms. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: server_sessions. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:13:57 org.jivesoftware.openfire.reporting.stats.StatsEngine - Stat: muc_users. Last sample: 1482916320. New sample: 1482916380

2016.12.28 10:14:03 org.apache.mina.filter.ssl.SslFilter - Session Server2: Message received : HeapBuffer[pos=0 lim=133 cap=256: 17 03 03 00 80 29 98 6F 1B 92 30 3A B5 C1 42 51…]

2016.12.28 10:14:03 org.apache.mina.filter.ssl.SslHandler - Session Server2 Processing the received message

2016.12.28 10:14:03 org.apache.mina.filter.ssl.SslFilter - Session Server2: Processing the SSL Data

2016.12.28 10:14:03 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 2

Queue : [MESSAGE_RECEIVED, ]

2016.12.28 10:14:03 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 2

2016.12.28 10:14:03 org.apache.mina.filter.ssl.SslFilter - Session Server2: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=198 cap=4096: 3C 69 71 20 74 79 70 65 3D 22 65 72 72 6F 72 22…]

2016.12.28 10:14:03 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 2

Queue : [MESSAGE_SENT, ]

2016.12.28 10:14:33 org.apache.mina.filter.ssl.SslFilter - Session Server2: Message received : HeapBuffer[pos=0 lim=133 cap=256: 17 03 03 00 80 5F 08 D4 D1 F3 29 BF 43 00 69 EC…]

2016.12.28 10:14:33 org.apache.mina.filter.ssl.SslHandler - Session Server2 Processing the received message

2016.12.28 10:14:33 org.apache.mina.filter.ssl.SslFilter - Session Server2: Processing the SSL Data

2016.12.28 10:14:33 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 2

Queue : [MESSAGE_RECEIVED, ]

2016.12.28 10:14:33 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 2

2016.12.28 10:14:33 org.apache.mina.filter.ssl.SslFilter - Session Server2: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=198 cap=4096: 3C 69 71 20 74 79 70 65 3D 22 65 72 72 6F 72 22…]

2016.12.28 10:14:33 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 2

Queue : [MESSAGE_SENT, ]

And on my Spark 2.8.2 debug window :

  • Raw sent packets

<stream:stream xmlns=‘jabber:client’ to=‘lan.domain.com’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’ from=‘myuser@lan.domain.com’ xml:lang=‘en’>

<stream:stream xmlns=‘jabber:client’ to=‘lan.domain.com’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’ from=‘myuser@lan.domain.com’ xml:lang=‘en’>

  • Raw received packets
<?xml version='1.0' encoding='UTF-8'?>

stream:featuresGSSAPI</mechani sms>zlib</stream:features>

<?xml version='1.0' encoding='UTF-8'?>GSSAPIzlib

Any idea ?

I restored a backup from Openfire 4.0.4, everything works fine.

The strange thing is, even with Openfire 4.0.4, i can’t login with Spark 2.8.2 (2.7.6 and 2.7.7 works fine).

None of the above versions works with Openfire 4.1.0.

I see you are using gssapi. This is likely a bug introduced in OF-477. there is a work around, but you may want to wait until 4.1.1

I will wait, there is no urge.

I am using gssapi indeed, but not SSO (never managed to make it works).

Spark 2.8.2 has disabled to accept all certificates, so if you don’t have a 3rd party certificate you have to go to advance and put a check mark

[SPARK-1789] Change Accept all certificates option to disabled by default - IgniteRealtime JIRA

It might not be your issue, but it was mine. It took me a little bit until I thought to check the change log

I have already done that. The certificate issue gives a totally different error.

This has nothing to do with it.

I tried with Openfire 4.1.1 and the issue still occurs.

2017.01.02 15:58:11 org.jivesoftware.openfire.spi.LegacyConnectionAcceptor - Configuration allows for up to 16 threads, although implementation is limited to exactly one.
2017.01.02 15:58:11 org.jivesoftware.util.cert.SANCertificateIdentityMapping - Unable to parse a byte array (of length 33) as a subjectAltName 'otherName'. It is ignored.
java.lang.ClassCastException: org.bouncycastle.asn1.DERTaggedObject cannot be cast to org.bouncycastle.asn1.ASN1String
    at org.jivesoftware.util.cert.SANCertificateIdentityMapping.parseOtherNameXmppAddr(SANCertificateIdentityMapping.java:213)
    at org.jivesoftware.util.cert.SANCertificateIdentityMapping.parseOtherName(SANCertificateIdentityMapping.java:160)
    at org.jivesoftware.util.cert.SANCertificateIdentityMapping.mapIdentity(SANCertificateIdentityMapping.java:75)
    at org.jivesoftware.util.CertificateManager.getServerIdentities(CertificateManager.java:325)
    at org.jivesoftware.openfire.keystore.IdentityStore.containsDomainCertificate(IdentityStore.java:364)
    at org.jivesoftware.openfire.http.HttpBindManager.createSSLConnector(HttpBindManager.java:242)
    at org.jivesoftware.openfire.http.HttpBindManager.configureHttpBindServer(HttpBindManager.java:513)
    at org.jivesoftware.openfire.http.HttpBindManager.start(HttpBindManager.java:188)
    at org.jivesoftware.openfire.spi.ConnectionManagerImpl.startListeners(ConnectionManagerImpl.java:315)
    at org.jivesoftware.openfire.spi.ConnectionManagerImpl.access$100(ConnectionManagerImpl.java:51)
    at org.jivesoftware.openfire.spi.ConnectionManagerImpl$1.pluginsMonitored(ConnectionManagerImpl.java:292)
    at org.jivesoftware.openfire.container.PluginManager.firePluginsMonitored(PluginManager.java:1042)
    at org.jivesoftware.openfire.container.PluginMonitor$MonitorTask.run(PluginMonitor.java:323)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
2017.01.02 15:58:51 org.jivesoftware.util.cert.SANCertificateIdentityMapping - Unable to parse a byte array (of length 33) as a subjectAltName 'otherName'. It is ignored.
java.lang.ClassCastException: org.bouncycastle.asn1.DERTaggedObject cannot be cast to org.bouncycastle.asn1.ASN1String
    at org.jivesoftware.util.cert.SANCertificateIdentityMapping.parseOtherNameXmppAddr(SANCertificateIdentityMapping.java:213)
    at org.jivesoftware.util.cert.SANCertificateIdentityMapping.parseOtherName(SANCertificateIdentityMapping.java:160)
    at org.jivesoftware.util.cert.SANCertificateIdentityMapping.mapIdentity(SANCertificateIdentityMapping.java:75)
    at org.jivesoftware.util.CertificateManager.getServerIdentities(CertificateManager.java:325)
    at org.jivesoftware.openfire.keystore.IdentityStore.containsDomainCertificate(IdentityStore.java:364)
    at org.jivesoftware.openfire.admin.index_jsp._jspService(index_jsp.java:226)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
    at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
    at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:53)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:226)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:165)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:499)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
    at java.lang.Thread.run(Unknown Source)

Guillaume - I believe that this last stacktrace is happening, because you’re using TLS certificates that are self-signed, generated by Openfire in a version prior to 4.1.0. Those certificates had a problem, which is tracked as [OF-1245] Openfire fails to parse the subject alternate name of certs it generated itself. - IgniteRealtime JIRA

If you re-generate your self-signed certiicates, you should see that stacktrace disappear. The impact of the stacktrace itself is minimal, though.

Yes, but since none of my users can login their Spark client starting from Openfire 4.1, i can’t upgrade it and re-generate the certificate

Regenerating certificates is done in the Openfire admin console - you do not need a working Spark for that. That being said, regenerating those certificates will not fix the problem of Spark not being able to log in.

Your Openfire appears to advertise the GSSAPI SASL mechanism as the only supported mechanism. This mechanism is used for Kerberos-backed Single-Sign On, which is probably what you want, but what’s failing. By configuring Openfire in such a way that it will only accept the GSSAPI SASL mechanism, none of the other authentication mechanisms will be tried at all.

Most likely, the sasl.mechs property has been set to “GSSAPI” I advise you to add other mechanisms (the value is a comma-separated list). The default set of mechanisms is:

“ANONYMOUS,PLAIN,DIGEST-MD5,CRAM-MD5,SCRAM-SHA-1,JIVE-SHAREDSECRET,GSSAPI,EXTERN AL”

You probably want to add GSSAPI to that list, or remove the entire property to have the default setting kick in (but that won’t get you the GSSAPI mechanism).

This all will not fix your single-sign on problem, but it should allow clients to authenticate again.

sasl.mechs was indeed set to GSSAPI and is now set to GSSAPI,PLAIN,DIGEST-MD5,CRAM-MD5,SCRAM-SHA-1,JIVE-SHAREDSECRET,GSSAPI,EXTERNAL.

I do not use SSO but only ldap for users identification.

Openfire and certificates have been updated.

And i still can’t connect any ldap users (wrong user or password).

Can you once more provide the data that the Spark debug log gives you, now that you’ve applied these changes?

I rolled back, but i will try again tomorrow.

Openfire 4.1.1 with Spark 2.7.7 and Active Directory on 2008 R2

Domain : lan.domain.tld

User : myuser

Raw sent packets

<stream:stream to="lan.mydomain.tld" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<stream:stream to="lan.mydomain.tld" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<iq id="kODYJ-0" type="get"><query xmlns="jabber:iq:auth"><username>myuser</username></query></iq>
</stream:stream>

Raw received packets

<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="lan.mydomain.tld" id="50p39vu849" xml:lang="en" version="1.0">
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>GSSAPI</mechanism><mechanism>EXTERNAL</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="lan.mydomain.tld" id="50p39vu849" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>GSSAPI</mechanism><mechanism>EXTERNAL</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
<stream:error><system-shutdown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error>
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="lan.mydomain.tld" id="4a1rzpbnv9" xml:lang="en" version="1.0">
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>GSSAPI</mechanism><mechanism>EXTERNAL</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="lan.mydomain.tld" id="4a1rzpbnv9" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>GSSAPI</mechanism><mechanism>EXTERNAL</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>

I got the error invalid username or password.

  • all.log

all.log - Pastebin.com

  • debug.log.

debug.log - Pastebin.com

New certificates have been generated at 09:42:31.

You now appear to be using non-SASL authentication, for which support has been removed from the default installation. It is still available via a new plugin though. Try adding the ‘nonSaslAuthentication’ plugin, and see what that does for you.

Ok so it works with Spark 2.8.2 but doesn’t with 2.7.6.

Thanks

Getting ready to update to 4.1.1 in my environment. Our Openfire is deployed on an Ubuntu server with LDAP authentication against Windows Server 2012 R2 active directory. We currently use Spark 2.7.7 (2.8.x exhibits avatar refresh issue so thats we are still on 2.7.7) and my certificate is signed with our internal CA.

I was wondering given the info above will I run into the same issue as OP? I could restore from backup if it fails but would rather wait until issues have been resolved.

Thanks.

I can’t say for sure as i am running Openfire on our AD server, running 2008R2.

But it is likely 2.7.7 won’t be able to connect, even with the new non-SASL authentication plugin.

It may be possible that Spark clients older than 2.8.2 can’t and won’t work with Openfire >= 4.1.0.

Please note that 2.8.2 Spark client wasn’t able to connect to Openfire < 4.1.0 in my case.

Thanks for the response. I quickly built a test server and was able to test 4.1.1 in my environment. It worked without issue so I updated production and it worked as well. I had to correct a DNS error I was getting on the main page though but our 2.7.7 clients still worked before correcting it. All I did was add the property “xmpp.fqdn” with my server’s fqdn.