Cannot connect to Openfire server with Sso

jhr

2011-10-13, 11:11 #1

Member since Oct 2011 · 4 posts
Group memberships: Members

Show profile ·

Link to this post

Subject: Cannot connect to Openfire server with Sso

Hi,

As the title of my post says, I cannot to my openfire server with MatriX.NET SDK.

This is how I have configured my instance of XmppClient

m_xmppClient.SetXmppDomain("vm-callisto-gis");
m_xmppClient.Username = "jhr";
//m_xmppClient.Password = "xx";
m_xmppClient.UseSso = true;
m_xmppClient.AnonymousLogin = false;
m_xmppClient.StartTls = false;
 
m_xmppClient.AutoRoster = true;
m_xmppClient.Compression = true;
m_xmppClient.AutoReplyToPing = true;
 
m_xmppClient.Open();

The event OnBeforeSasl() is well raised but nothing happen after.

I can see an error on my Openfire server :

2011.10.13 11:02:21 Closing connection due to error while processing message: <auth mechanism="PLAIN" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">AAA=</auth>
java.util.NoSuchElementException
at java.util.StringTokenizer.nextToken(Unknown Source)
at org.jivesoftware.openfire.sasl.SaslServerPlainImpl.evaluateResponse(SaslServerPlainImpl.java:114)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:269)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:179)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:169)
[....]

What does it mean ? Do I forget something on the configuration of my instance of XmppClient ?

Regards
Jerome

Alex

2011-10-13, 12:02 #2

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

Hi Jerome,

can you please post the complete log of your session?

Quote by jhr:
2011.10.13 11:02:21 Closing connection due to error while processing message: <auth mechanism="PLAIN" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">AAA=</auth>

According to this MatriX authenticated with SASL PLAIN, not SSO (GSSAPI).
Is your Openfire server configured correctly for SSO, which means GSSAPI and Kerberos?

see also:
http://community.igniterealtime.org/docs/DOC-1060

Alex

jhr

2011-10-13, 13:17 #3

Member since Oct 2011 · 4 posts
Group memberships: Members

Show profile ·

Link to this post

Thank Alex for your fast response. I have no problem to connect to my server with Spark using Sso. So I think my server is well configured.

This is what I get when I trace the communication with Wireshark

Request: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" to="vm-callisto-gis" version="1.0" >

Response: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="vm-callisto-gis" id="d0f521e0" xml:lang="en" version="1.0">

Response: <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>

Request: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />

Response: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

[Cyphered Request, Response...]

Hope it will help you.

Regards
Jerome

Alex

2011-10-13, 13:28 #4

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

Quote by jhr:
So I think my server is well configured.

I don't think so ;-)

Quote by jhr:
This is what I get when I trace the communication with Wireshark

follow the following link to see how to get the trace with MatriX.
http://www.ag-software.net/matrix-xmpp-sdk/matrix-develope…

I added comments to all the features your server advertises. It supports only username and password authentication. What your Spark client did is save the username and password you provided once in a encrypted password file. This means you don't have to enter this information again, but this is no SSO.

<stream:features>
   <!-- secure session with TLS -->
   <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls>
   
   <!-- XMPP SASL authentication mechanism -->
   <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
      <!-- SASL PLAIN, username and password -->
      <mechanism>PLAIN</mechanism>
      <!-- Anonymous user login, this creates a temporary anonymous user for this session only -->
      <mechanism>ANONYMOUS</mechanism>
   </mechanisms>
   
   <!-- stream compression -->
   <compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression>
 
   <!-- old jabber style authentication, also username and password -->
   <auth xmlns="http://jabber.org/features/iq-auth"/>
   
   <!-- in band registration of new user accounts -->
   <register xmlns="http://jabber.org/features/iq-register"/>
</stream:features>

Alex

jhr

2011-10-18, 08:42 #5

Member since Oct 2011 · 4 posts
Group memberships: Members

Show profile ·

Link to this post

Ok Alex, I did what you expected. I have enabled the log and this is what I get ...

<stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" to="vm-callisto-gis" version="1.0" >

<stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="vm-callisto-gis" id="18916da0" xml:lang="en" version="1.0" >

<stream:features xmlns:stream="http://etherx.jabber.org/streams">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
    <mechanism>PLAIN</mechanism>
    <mechanism>ANONYMOUS</mechanism>
</mechanisms>
<compression xmlns="http://jabber.org/features/compress">
    <method>zlib</method>
</compression>
<auth xmlns="http://jabber.org/features/iq-auth" />
<register xmlns="http://jabber.org/features/iq-register" />
</stream:features>

<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />

<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />

<stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" to="vm-callisto-gis" version="1.0" >

<stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="vm-callisto-gis" id="18916da0" lang="en" version="1.0" >

<stream:features xmlns:stream="http://etherx.jabber.org/streams">
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
    <mechanism>PLAIN</mechanism>
    <mechanism>ANONYMOUS</mechanism>
</mechanisms>
<compression xmlns="http://jabber.org/features/compress">
    <method>zlib</method>
</compression>
<auth xmlns="http://jabber.org/features/iq-auth" />
<register xmlns="http://jabber.org/features/iq-register" />
</stream:features>

<auth mechanism="PLAIN" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">AAA=</auth>

</stream:stream>

</stream:stream>

Alex

2011-10-18, 08:58 #6

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

your server is configured only for username and password login.
In your connection code you don't set the password

uncomment the following line and set a correct password.

//m_xmppClient.Password = "xx";

remove the following line because your server supports no SSO

m_xmppClient.UseSso = true;

Alex

jhr

2011-10-18, 09:08 #7

Member since Oct 2011 · 4 posts
Group memberships: Members

Show profile ·

Link to this post

Thank you, I will try to configure my OpenFire server following the tutorial here : http://community.igniterealtime.org/docs/DOC-1362

Alex

2011-10-18, 09:19 #8

Member since Feb 2003 · 4449 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

yes this is the correct tutorial. SSO and Kerberos is a very complex topic.

Alex