Hi All,
I would like to setup Openfire/SPARK with SSO and it doesn't work for me. I spend more than 20 hours diagnosing problems. Some solved, but know I need help.
My Environment:
Windows Server 2012 as Domain Controller (openfiredc.mc.gov.pl)
Windows 10 system connected to domain with SPARK 2.8.0 as xmpp client
Debian Jessie 8.5 as Openfire server (openfire.mc.gov.pl)
root@openfire:/usr/local# java -version
java version "1.8.0_101"
Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)
All systems synchronized with NTP
Forward and Reverse DNS configured including _kerberos and _xmpp SRV records
I think I've done everything according to SSO Configuration
Openfire Configuration:
/etc/krb5.conf:
[libdefaults]
default_realm = MC.GOV.PL
[realms]
MC.GOV.PL = {
kdc = openfiredc.mc.gov.pl
admin_server = openfiredc.mc.gov.pl
default_domain = mc.gov.pl
}
[domain_realm]
.mc.gov.pl = MC.GOV.PL
mc.gov.pl = MC.GOV.PL
Created XMPP SPN, mapping and keytab according to DOC-1060. Verification on Openfire server:
root@openfire:/usr/local# kinit -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfire.mc.gov.pl@MC.GOV.PL -V
Using default cache: /tmp/krb5cc_0
Using principal: xmpp/openfire.mc.gov.pl@MC.GOV.PL
Using keytab: /usr/share/openfire/resources/xmpp.keytab
Authenticated to Kerberos v5
gss.conf file:
root@openfire:/usr/local# cat /etc/openfire/gss.conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/usr/share/openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="MC.GOV.PL"
principal="xmpp/openfire.mc.gov.pl@MC.GOV.PL"
isInitiator=false
debug=true;
};
SASL configuration added to openfire.x
<sasl>
<mechs>GSSAPI</mechs>
<realm>MC.GOV.PL</realm>
<gssapi>
<debug>true</debug>
<config>/etc/openfire/gss.conf</config>
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
</sasl>
SPARK client configuration:
Registry modified according to DOC-1060
SSO use krb5.ini
Problem Description:
SPARK starts xmpp conversation
stream:stream xmlns='jabber:client' to='mc.gov.pl' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='Administrator@mc.gov.pl' xml:lang='en'>
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
Openfire Server answers:
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="mc.gov.pl" id="5j5dchu0oz" xml:lang="en" version="1.0">
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
SPARK sends TGS-REQ for krbtgt@MC.GOV.PL (MC.GOV.PL) and receives ticket TGS-REP
SPARK sends TGS-REQ for xmpp@openfire.mc.gov.pl (MC.GOV.PL) and receives ticket TGS-REP
SPARK sends xmpp message to Openfire Server:
<stream:stream xmlns='jabber:client' to='mc.gov.pl' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='Administrator@mc.gov.pl' xml:lang='en'>
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='GSSAPI'>YIIFRgYJKoZIhvcSAQICAQBuggU1MIIFMaADAgEFoQMCAQ6iBwMFACAAAACj ggRXYYIEUzCCBE+gAwIBBaELGwlNQy5HT1YuUEyiJTAjoAM
.................................
CAQChHDAaGwR4bXBwGxJvcGVuZmlyZS5tYy5nb3YucGyjggQSMIIEDqADAgEXoQMCAQWiggQABIID/MZ 6nikvfX9DDiF9hmxK1IiQEtFVQLvjRIBIiEY2W8BMjd24sVIbdig0fGAimw1diRuYvL6iX6caBrug==< /auth>
And this is the moment where Openfire has problem
Openfire sends answer to SPARK
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="mc.gov.pl" id="5j5dchu0oz" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>
In logs I can see only
2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 5
Queue : [MESSAGE_RECEIVED, ]
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 5
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 5
2016.09.17 21:03:02 INFO [socket_c2s-thread-3]: org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.ssl.SslFilter - Session Server[5](SSL): Writing Message : WriteRequest: HeapBuffer[pos=0 lim=77 cap=128: 3C 66 61 69 6C 75 72 65 20 78 6D 6C 6E 73 3D 22...]
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 5
2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 5
Queue : [MESSAGE_SENT, ]
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 5
2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 5
Please Help, I have no idea what is wrong.
Regards Adam