Hello,
The history: Long time ago there was Openfire 3.9.3 server with SSO working like charm but decision was made to update it to 3.10. After that SSO stopped working even with rollback to 3.9.3, nothing helps. For some time we have to use manual login. After update to 3.10.3 SSO starts working again, to the last week when i have to restart server. It was simple restart, nothing changed but SSO stops again.
What I tried:
- update to 4.0.1
- reset AD account
- new keytab
- DNS tests
- Step by step How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2
Server: Windows Server 2008 R2, Openfire 4.0.1.
Clients: Windows 7-10 Pro, Miranda-NG (Spark only for tests)
Miranda log: <error code="401" type="auth"><not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/></error>
Openfire Info log:org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. GSS initiate failed
Openfire Debug log:
org.apache.mina.filter.ssl.SslHandler - Unexpected exception from SSLEngine.closeInbound(). javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source) at org.apache.mina.filter.ssl.SslHandler.destroy(SslHandler.java:204) at org.apache.mina.filter.ssl.SslFilter.sessionClosed(SslFilter.java:439) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextSessionClosed(DefaultIoFilterChain.java:382) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$900(DefaultIoFilterChain.java:47) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.sessionClosed(DefaultIoFilterChain.java:750) at org.apache.mina.core.filterchain.IoFilterAdapter.sessionClosed(IoFilterAdapter.java:88) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextSessionClosed(DefaultIoFilterChain.java:382) at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireSessionClosed(DefaultIoFilterChain.java:375) at org.apache.mina.core.service.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:244) at org.apache.mina.core.polling.AbstractPollingIoProcessor.removeNow(AbstractPollingIoProcessor.java:600) at org.apache.mina.core.polling.AbstractPollingIoProcessor.removeSessions(AbstractPollingIoProcessor.java:560) at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$800(AbstractPollingIoProcessor.java:67) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1132) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
gss.conf
com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="C:/Program Files (x86)/Openfire/resources/jabber.keytab" doNotPrompt=true useKeyTab=true isInitiator=false debug=true realm="DOMAIN.LOCAL principal="xmpp/server.domain.local@DOMAIN.LOCAL";
};openfire.xml
[...] <!-- sasl configuration --> <sasl> <!-- Set this to your Keberos realm name which is usually your AD domain name in all caps. --> </sasl> <authorization> <classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList> </authorization>
krb5.ini
[libdefaults] default_realm = DOMAIN.LOCAL default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms] DOMAIN.LOCAL = { kdc = dc.domain.local admin_server = dc.domain.local default_domain = domain.local }
[domain_realms] domain.local = DOMAIN.LOCAL .domain.local = DOMAIN.LOCAL