Openfire SSO

Hello,

I write this post as a last resort. Could not find solution.

Can't force to work spark with sso.

I have Spark 2.6.3 on windows 7 pro, Openfire 3.8.2 on windows Server 2012.

Configured:

1. setspn -A xmpp/server.domain.local@DOMAIN.LOCAL xmpp-openfire
2. ktpass -princ xmpp/server.domain.local@DOMAIN.LOCAL -mapuser xmpp-openfire@domain.local -pass * -ptype KRB5_NT_PRINCIPAL
3. ktab -k xmpp.keytab -a xmpp/server.domain.local@DOMAIN.LOCAL

kinit -k -t  xmpp.keytab xmpp/server.domain.local@DOMAIN.LOCAL p@ssword

I copied keytab to resources folder

4. Throught web console System Properties:

provider.auth.className            org.jivesoftware.openfire.ldap.LdapAuthProvider

provider.authorization.classList               org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy

provider.group.className         org.jivesoftware.openfire.ldap.LdapGroupProvider

provider.user.className            org.jivesoftware.openfire.ldap.LdapUserProvider

provider.vcard.className          org.jivesoftware.openfire.ldap.LdapVCardProvider

sasl.gssapi.config            C:/Program Files (x86)/Openfire/conf/gss.conf

sasl.gssapi.debug            true

sasl.gssapi.useSubjectCredsOnly            false

sasl.mechs         GSSAPI

sasl.realm           DOMAIN.LOCAL

xmpp.auth.anonymous                               true

xmpp.domain   server

xmpp.fqdn         server.domain.local

xmpp.session.conflict-limit        0

xmpp.socket.ssl.active                 true

5. GSS.conf

com.sun.security.jgss.accept {

    com.sun.security.auth.module.Krb5LoginModule

    required

    storeKey=true

    keyTab="C:/Program Files (x86)/Openfire/resources/xmpp.keytab"

    doNotPrompt=true

    useKeyTab=true

    realm="DOMAIN.LOCAL"

    principal="xmpp/server.domain.local@DOMAIN.LOCAL"

    debug=true;

};

6. krb5.ini copied to server and client in windows

[libdefaults]

    default_realm = DOMAIN.LOCAL

    noaddresses = true

[realms]

    DOMAIN.LOCAL = {

        kdc = dc01.domain.local

        default_domain = domain.local

    }

[domain_realms]

    invenire.local = DOMAIN.LOCAL

    .invenire.local = DOMAIN.LOCAL

7. Changed registry for both server and clients

8. Also changed java encryption policies by changing files in jre/lib/security

In spark log I get this:

2013-08-13 16:46:49 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

  -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)

    at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

    at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

    at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

    at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

    at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

    at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

    at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

    at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

    ... 10 more

Caused by: KrbException: Fail to create credential. (63) - No service creds

    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

    at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

    ... 13 more