We are now playing with Kerberos since a couple of days and got some steps working. But the authentication via SSO within Openfire is still not working completly.
Openfire (3.7.0) is running on Windows Server 2008 R2 (64bit)
KDC is a Windows Server 2008 R2 (64bit)
Client (Spark 2.6.1.12532) is running on Windows 7
Active-Directory-Domain-Name: noerr.local
KDC: m-dc01.noerr.local
OpenFire-Server: m-im01.noerr.local
Active-Directory-User for Kerberos: xmpp-openfire
Settings for this user: "user cannot change password", "password never expires", "use kerberos DES encryption types for this account", "do not require kerberos preauthentication"
What we have done so far:
On KDC
setspn -A xmpp/m-im01.noerr.local@NOERR.LOCAL xmpp-openfire
Registering ServicePrincipalNames for CN=OpenFire AD Kerberos Service Account,OU=ServiceAccounts,OU=Global,DC=noerr,DC=local
xmpp/m-im01.noerr.local@NOERR.LOCAL
Updated object
ktpass -princ xmpp/m-im01.noerr.local@NOERR.LOCAL -mapuser xmpp-openfire@noerr.local -pass * -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: M-DC01.noerr.local
Successfully mapped xmpp/m-im01.noerr.local to xmpp-openfire.
Type the password for xmpp/m-im01.noerr.local:
Type the password again to confirm:
Password succesfully set!
Key created.
On Openfire-Server
ktab -k xmpp.ktab -a xmpp/m-im01.noerr.local@NOERR.LOCAL
Password for xmpp/m-im01.noerr.local@NOERR.LOCAL:xxxxxxxxxxxxx
Done!
Service key for xmpp/m-im01.noerr.local@NOERR.LOCAL is saved in xmpp.ktab
xmpp.ktab moved to Openfire-Resouces-Folder.
gss.conf within Openfire-Conf-Folder:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/PROGRA~2/Openfire/resources/xmpp.ktab"
doNotPrompt=true
useKeyTab=true
realm="NOERR.LOCAL"
principal="xmpp/m-im01.noerr.local@NOERR.LOCAL"
isInitiator=false
debug=true;
};
sasl-specific configurations in openfire-database
| sasl.gssapi.config | C:/PROGRA~2/Openfire/conf/gss.conf |
| sasl.gssapi.debug | true |
| sasl.gssapi.useSubjectCredsOnly | false |
| sasl.mechs | GSSAPI,PLAIN,CRAM-MD5,DIGEST-MD5,EXTERNAL,ANONYMOUS |
| sasl.realm | NOERR.LOCAL |
| xmpp.domain | noerr.local |
| xmpp.fqdn | m-im01.noerr.local |
krb5.ini within openfire-windows-folder, client-windows-folder and on client within C:\Users\xxx\Windows
[libdefaults]
default_realm = NOERR.LOCAL
[realms]
NOERR.LOCAL = {
kdc = m-dc01.noerr.local
admin_server = m-dc01.noerr.local
default_domain = NOERR.LOCAL
}
noerr.local = NOERR.LOCAL
.noerr.local = NOERR.LOCAL
on client-registry we set the value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\Allo wTGTSessionKey=1
But SOO-login with Spark always fails.
We already tried to generate the ktab-file on the KDC and to use that file - but with no success:
ktpass -princ xmpp/m-im01.noerr.local@NOERR.LOCAL -mapuser xmpp-openfire@noerr.local -pass * -ptype KRB5_NT_PRINCIPAL -out C:\xmpp.ktab
Targeting domain controller: M-DC01.noerr.local
Successfully mapped xmpp/m-im01.noerr.local to xmpp-openfire.
Type the password for xmpp/m-im01.noerr.local:
Type the password again to confirm:
Password succesfully set!
Key created.
Output keytab to C:\xmpp.ktab:
Keytab version: 0x502
keysize 70 xmpp/m-im01.noerr.local@NOERR.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 6 etype 0x17 (RC4-HMAC) keylength 16 (0x6ca54b4afb5b0681d1aa6c2cd8f3694d)
The only messages we get are within openfire-debug.log:
2011.07.20 10:58:22 [/172.16.0.55:59730] Data Read: org.apache.mina.filter.support.SSLHandler@94124f (HeapBuffer[pos=0 lim=22 cap=64: 17 03 01 00 11 E7 0A 1E B7 55 74 A3 A7 14 DE 4C D2 17 49 46 BE 7F])
2011.07.20 10:58:22 [/172.16.0.55:59730] unwrap()
2011.07.20 10:58:22 [/172.16.0.55:59730] inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=22 cap=16665]
2011.07.20 10:58:22 [/172.16.0.55:59730] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
2011.07.20 10:58:22 [/172.16.0.55:59730] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 22 bytesProduced = 1
2011.07.20 10:58:22 [/172.16.0.55:59730] inNetBuffer: java.nio.DirectByteBuffer[pos=22 lim=22 cap=16665]
2011.07.20 10:58:22 [/172.16.0.55:59730] appBuffer: java.nio.DirectByteBuffer[pos=1 lim=33330 cap=33330]
2011.07.20 10:58:22 [/172.16.0.55:59730] Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 0 bytesProduced = 0
2011.07.20 10:58:22 [/172.16.0.55:59730] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=1 cap=33330]
2011.07.20 10:58:22 [/172.16.0.55:59730] app data read: HeapBuffer[pos=0 lim=1 cap=1: 20] (20)
2011.07.20 10:58:22 Launching thread for /172.16.0.55:59730
2011.07.20 10:58:22 Exiting since queue is empty for /172.16.0.55:59730
And on client-side within Spark-error.log
WARNUNG: Exception in Login:
SASL authentication failed:
-- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:984)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:218)
at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:707)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
Nested Exception:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:984)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:218)
at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:707)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 10 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 13 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
... 18 more
Can anyone help us? This silly problem is driving us crazy...