Feed for content matching tag 'sasl'

billj@nortel.com — Thu, 01 Jan 1970 00:00:00 GMT

I am using Smack 3.0.4 with openfire 3.5.2.

On the client side (using smack) I am using ConnectionConfiguration to create the XMPPConnection in the following fashion:

      ConnectionConfiguration config = new ConnectionConfiguration(host, port, serviceName);
      config.setSelfSignedCertificateEnabled(true);
      config.setReconnectionAllowed(true);
      config.setCompressionEnabled(false);
      config.setSASLAuthenticationEnabled(true);
      config.setSecurityMode(ConnectionConfiguration.SecurityMode.enabled);

When I don't resolve the "host", then the XMPPConnection and underlying objects will perform a DNS lookup and when I login everything connects just fine.

String host = "billj-1"; // Note this resolves to 47.102.157.252

int port = 5222;

String serviceName = "billj-1";

Note that the openfire server name is configured as "billj-1".

However if I resolve the hostname myself and pass the IP for the host then I get a SASL Exception on the openfire server.

String host = "47.102.157.252";

int port = 5222;

String serviceName = "billj-1";

2008.08.19 01:56:36 NIOConnection: startTLS: using c2s
2008.08.19 01:56:36 SASLAuthentication: SaslException
javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Nonexistent realm: 47.102.157.252
    at com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(Unknown Source)
    at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(Unknown Source)
    at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :282)

This format / behavior for the ConnectionConfiguration constructor seems to be allowed:

    /**
     * Creates a new ConnectionConfiguration using the specified host, port and
     * service name. This is useful for manually overriding the DNS SRV lookup
     * process that's used with the {@link #ConnectionConfiguration(String)}
     * constructor. For example, say that an XMPP server is running at localhost
     * in an internal network on port 5222 but is configured to think that it's
     * "example.com" for testing purposes. This constructor is necessary to connect
     * to the server in that case since a DNS SRV lookup for example.com would not
     * point to the local testing server.
     *
     * @param host the host where the XMPP server is running.
     * @param port the port where the XMPP is listening.
     * @param serviceName the name of the service provided by an XMPP server.
     */
    public ConnectionConfiguration(String host, int port, String serviceName) {
        init(host, port, serviceName);
    }

Note that if I turn off SASL Auth ("config.setSASLAuthenticationEnabled(false);") then the connection / login is successful when I specify the host IP (as expected).

I can't seem to find the mechanism to specify the realm to use with Smack. Is this something that is broken in Smack? (shouldn't it be using the realm from the returned challenge?) Or is there some mechanism to specify acceptable realms on the openfire server?

Thanks

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

Hey folks,

This is on a related note to my other thread about XMPP issued certificates, but since that issue was resolved (by getting certificates re-issued), I'm putting this issue in a new thread.

The problem I encountered is the following:

For secured server to server (s2s) connections, using both self-signed and CA-signed certificates, everything checks out fine between my live Openfire server and test Openfire server. However, when trying to make a similar connection to other jabber servers in the public network, it doesn't work. The difference being:

- Between 2 openfire servers, after TLS has been negotiated, the servers authenticate with SASL EXTERNAL (which according to the devs here, is bundeled with using TLS for s2s).

- Between openfire and other servers (I tried several that support TLS, all with the same result!), TLS is negotiated successfully, but then I get the message "Error, no SASL mechanisms were offered by (server name)", and it closes TLS with the option to use plaintext (unencrypted) dialback instead.

So, obviously, other jabber software doesn't offer SASL, or offers it in a way different than what Openfire expects. Since I, and my users, prefer encrypted streams where possible, I want to be able to have encrypted s2s connections to other jabber servers, even if they don't offer all the "expected" options for authentication.

I've scanned over the source to see where the connection debug messages come from, and at first glance (but I'm no java programmer) it doesn't seem too hard to add a property that could skip SASL -- Or would this not work? (to me it seems an optional step to have extra verification of the remote server)

Mark.

isaacvetter@gmail.com — Thu, 01 Jan 1970 00:00:00 GMT

Using Psi 0.11, with openfire 3.4.5 on Red Hat, I am running into this error:

"There was an error communicating with the server . Details: Authentication Error: No appropriate mechanism available for given security settings (e.g. SASL library too weak, or plaintext authentication not enabled)

Psi is configured with plaintext authentication disabled, but I thought that SASL support was part of the XMPP protocol.

Does anyone know how to make openfire allows SASL authentication from Psi ? (Is there perhaps a specific SASL mechanism that needs to be enabled on the server?)

Much Thanks,

Isaac Vetter

kaffe_02@yahoo.com — Thu, 01 Jan 1970 00:00:00 GMT

I have downloaded the latest spark source code and ran an "ant dist", went into the target/build/bin and ran the startup.sh script.

I put in my openfire server and used the credentials I had set up on the server and tried to log in. I saw this message in the console. I did a "svn up" to make sure I had the latest version, It says Im at 10106.

WARNING: Exception in Login:

SASL authentication failed:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 327)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:438)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:861)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:200)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:604)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:131)

at java.lang.Thread.run(Thread.java:619)

I downloaded spark 2.5.8 and tried to log on and I was able to log in.

Did I do something wrong on my build? Im not sure where I am going wrong here, thanks for all of your help.

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

I've been wrestling with this 'three-headed dog' of an error for a few days now , I've been reading and searching but I haven't found the answer yet.?:|

To the best of my knowledge, I have read and followed the directions written by slushpupie and Poppa Smurf.

I have added the registry value on the client, and the krb.ini is in place.

I used ktpass to generate the key table file but I have also tried the java utility from the openfire jre folder, and when I used that keytab it didnt seem to help.

I've looked at the logs in openfire for useful data but I don't know what to look for there, I haven't noticed anything in the openfire server logs that is helpful. When I enable SSO in Spark my username shows up but when I try to log in it gives me the error "Please check your principle and server settings" I know there are a lot of parts that need to be in place to get this to work, so here we go: (sorry about the formatting)

*ERROR from Spark warn.log*

Mar 10, 2008 10:35:42 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

*krb5.ini*

libdefaults

default_realm = MY.DOMAIN.COM

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

realms

MY.DOMAIN.COM = {

kdc = mydc.my.domain.com

admin_server = mydc.my.domain.com

default_domain = my.domain.com

}

domain_realms

my.domain.com= MY.DOMAIN.COM

.my.domain.com = MY.DOMAIN.COM

*gss.conf*

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab="C:/Program Files/Openfire/resources/chat.keytab"

doNotPrompt=true

useKeyTab=true

realm="MY.DOMAIN.COM"

principal="xmpp/chat.my.domain.com@MY.DOMAIN.COM"

debug=true;

};

*openfire.xml*

<sasl>

<mechs>GSSAPI</mechs>

<realm>MY.DOMAIN.COM</realm>

<config>C:/Program Files/openfire/conf/gss.conf</config>

<useSubjectCredsOnly>false</useSubjectCredsOnly>

</gssapi>

</sasl>

<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</cla ssList>

</authorization>

akrherz@iastate.edu — Thu, 01 Jan 1970 00:00:00 GMT

Hi,

Could one of the Openfire devs check out this Pidgin ticket and comment on it?

http://developer.pidgin.im/ticket/2095

The problem is that when pidgin gets disconnected from Openfire (for some network reason), pidgin can't reconnect without restarting Pidgin. The pidgin ticket indicates there may be a bug with the SASL bits used by Openfire.

thanks,

daryl

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

even if the server property xmpp.client.tls.policy is set to required, Openfire will offer sasl mechanisms, including plain.

PLAIN EXTERNAL GSSAPI If/when the client attempts to use one of the offered mechanisms, Openfire will proceed through the full sasl negotation, and then sends an empty stream:features tag: ]]>

It looks like several bugs here:

first, if tls is required OF should probably not be offering SASL mechanisms until starttls has been negotiated.

Second, if the client still attempts to use SASL over an unencrypted connection (when tls is required), OF should not negotiate (in particular, it should not indicate success for an SASL plain authentication attempt).

Third, OF probably shouldn't be sending an empty stream:features tag. I would guess that the right thing to do would be to simply offer the starttls feature again -- or possibly close the stream.

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

I tried to update from 3.3.3 to 3.4.1 tonight to find out Pop3 authentication doesn't work in 3.4.1.

My server run on windows2000, mysq, hmailserver.

I installed using the exe package, everything updated fine, the service started. But not a single one can authenticate, not even the admin from the web console.

I had to revert to 3.3.3 for now. Seems to be because sasl doesn't like plain username.

I'm wondering if I should open a bugreport, cause it work in 3.3.3...

In the warn.log I get:

2007.11.14 18:20:56 SaslException

javax.security.sasl.SaslException: PLAIN authentication failed Caused by javax.security.sasl.SaslException: PLAIN: user not authorized: user

at org.jivesoftware.openfire.sasl.SaslServerPlainImpl.evaluateResponse(SaslServerP lainImpl.java:144)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :229)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:162)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :240)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:284)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.security.sasl.SaslException: PLAIN: user not authorized: user

at org.jivesoftware.openfire.sasl.SaslServerPlainImpl.evaluateResponse(SaslServerP lainImpl.java:127)

... 17 more

My config is as simple as that:

<className>org.jivesoftware.database.DefaultConnectionProvider</classN ame>

</connectionProvider>

<driver>com.mysql.jdbc.Driver</driver>

<serverURL>jdbc:mysql://localhost:3306/openfire</serverURL>

</defaultProvider>

</database>

<auth>

<className>org.jivesoftware.openfire.auth.POP3AuthProvider</className& gt;

</auth>

<user>

<className>org.jivesoftware.openfire.user.POP3UserProvider</className& gt;

</user>

</provider>

<pop3>

<domain>domain.com</domain>

</pop3>

cyp@lipousse.no-ip.org — Thu, 01 Jan 1970 00:00:00 GMT

Hello,

Sorry for my english

I want to use the database MySQL user of open-Xchange for my authentification.

I have a problem SASL authentication.

Here logs logs/warn.log

Javax.security.sasl.SaslException: PLAIN authentication failed Caused by javax.security.sasl.SaslException: PLAIN: user not authorized: oxadmin

...

Caused by: javax.security.sasl.SaslException: PLAIN: user not authorized: oxadmin

My configuration file conf/openfire.xml Com.mysql.jdbc.Driver jdbc: mysql://localhost:3306/open-xchange-db?User=openexchange&password=XXXX org.jivesoftware.openfire.auth.JDBCAuthProvider org.jivesoftware.openfire.user.JDBCUserProvider SELECT user.userPassword FROM user, login2user WHERE user.id=login2user.id AND login2user.uid=? md5 SELECT login2user.uid, user.mail FROM user, login2user WHERE user.id=login2user.id AND login2user.uid=? SELECT COUNT (*) FROM user SELECT uid FROM login2user SELECT uid FROM login2user WHERE login2user.uid login2user.uid user.mail org.jivesoftware.database.DefaultConnectionProvider]]>

My config imap for authentication via SASL is PLAIN. The problem is here ?

Do you have an idea?

Regards,

Cyp

vchat20@gmail.com — Thu, 01 Jan 1970 00:00:00 GMT

This is in reference to the post made here and the suggestion to create a new thread.

Up to this point, openfire 3.3.1 and 3.3.2 have worked just fine for me with no issues on any configuration I set it up with. Now once updated to 3.3.3, I am having connection issues related to the SSL/TLS security options in openfire. The above linked post has most of the details, but here are the cliffnotes:

Trying three different clients: Bombus (J2ME jabber client for cellphones. related cellphone has full socket connection support with no limitations) and Miranda IM (PC IM client with jabber plugin) and Spark.

Spark works in every config but being dev'd by the same company and not really being a PRIMARY client and more of a way to debug this issue, I have pushed it aside in this case.

Bombus: Can't do SSL due to no support for self-signed certs in the phone JVM. With encryption required in openfire, bombus reads 'login failed' after it tries to authenticate. Security set as optional and SASL enabled on bombus (I ASSUME this is the same as TLS. If not, someone feel free to correct me), it hits the authentication stage and just sits there doing nothing till I close out of the app.

Miranda IM: Encryption required causes a 'not authorized' error to pop up whether I have it set to connect unencrypted, with SSL, or with TLS in the client options. Encryption optional it connects fine in all cases.

If someone could help narrow down the issue here, that'd be extremely helpful.

herbert.poul@gmail.com — Thu, 01 Jan 1970 00:00:00 GMT

Hi,

i have read a couple of threads about gmail authentication (![http://www.igniterealtime.org/issues/images/icons/bug.gif!] SMACK-224 - related) - but it didn't help me unfortunately ..

i'm trying to authenticate with gmx (gmx.at) but no combination of sasl authentication, plain sasl authentication, non-sasl authentication, security mode disabled, enabled, etc. seems to work

packets sent:

AHNvbWVfYm9keQBUaGVCZXN0 packets received: PLAIN PLAIN PLAIN PLAIN stack trace: SCHWERWIEGEND: Error while validating account (id: {some_body@gmx.at}) net.sphene.goim.core.exceptions.GOIMException: Error while trying to validate account: No response from the server. at net.sphene.goim.protocol.jabber.connection.JabberAccountConnection.validateAccount(JabberAccountConnection.java:391) at net.sphene.goim.protocol.jabber.ui.wizards.account.AccountWizard$1.run(AccountWizard.java:62) at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:113) Caused by: No response from the server.: at org.jivesoftware.smack.SASLAuthentication.bindResourceAndEstablishSession(SASLAuthentication.java:307) at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:214) at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341) at net.sphene.goim.protocol.jabber.connection.JabberAccountConnection.validateAccount(JabberAccountConnection.java:387) ... 2 more any ideas ? i can also post the transcript+backtrace of NonSASL authentication if that helps ? (btw. i have tried it with another jabber client - psi .. it doesn't use SASL - and the main difference seems to be that it doesn't have the 'version="1.0"' in the ]]> tag .. - but maybe it simply uses another auth protocol .. i have no idea about that stuff unfortunately )

thanks,

herbert

http://goim2.sphene.net

aaron.giuoco@sbmatlantia.com — Thu, 01 Jan 1970 00:00:00 GMT

Hi all,

I have an Openfire 3.3.2 server setup on a RHEL4 box. It is using Active Directory as the directory. It works fine if users login with their usernames and passwords, but I can't get SSO to work properly.

I have followed the instructions in the Configuring Openfire for Use with Kerberos document and even set the kerberos registry key on my WinXP SP2 box that was mentioned in a couple of other threads. Below is the most recent entry from my warn.log on the server:

================================================

2007.08.23 12:16:21 SaslException

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at com.sun.security.sasl.gsskerb.GssKrb5Server.(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :220)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

... 20 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$5.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

... 26 more

Any ideas what this error means or what I could do to fix it? Thanks.