Solved: Shared Endpoint Lab mechanism-too-weak Error

van_staub · ‎09-20-2014

I've used a few samples with the shared endpoint lab with the same resulting error on the web console:

Exception during connection: <error><mechanism-too-weak xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/></error>

My config settings are basic and follow everything I've read elsewhere in this forum and Cisco doc.

var demoConfig = {

domain: "psdtemea.cisco.com", //the domain specified for your CUP server

httpBindingURL: "http://cup.psdtemea.cisco.com:7335/httpbinding", //the BOSH url for your server

//httpBindingURL: "https://im1.ciscowebex.com/http-bind",

unsecureAllowed: true

};

The VPN is connected and my host files contains the IP (10.10.20.20) I received in the email after reserving the lab.

I debugged the exception back to jabberwerx._handleAuthOpened(feats). From what I can tell, this may be due to the response I'm getting back from the CUP server.

POST to CUP

Response from CUP

I believe I should be getting the XML node (or similar) as part of the response:

<stream:features xmlns='jabber:client'><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>WEBEX-TOKEN</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>

Since it's missing, an exception gets thrown. So why would this occur? During the reservation process, I did run the command to add the SDK for Web. I should also mention that the email I received after reserving is similar in format to the one seen in this post Can't authorize using devsandbox and sampleclient.html. The username is blank similar to the post. The result of that post was seemingly a failed setup. Is this issue a similar failure?

npetrele · ‎09-30-2014

Ok, I deleted and recreated your account. Same password (I assume it was cisco1234, the standard password). I logged in with my sample code, and it worked for me.

View solution in original post

amoherek · ‎09-25-2014

Hi Van,

This means the authentication mechanisms supported by the client and those reported by the server do not match. Since it is recommended to use an HTTPS binding URL. can you try using HTTPS and setting unsecureAllowed to false?

Thanks,

Adrienne

amoherek · ‎09-25-2014

Hi Van,

I spoke too soon before verifying. I don't think the Sandbox is setup for secure.

Thanks,

Adrienne

van_staub · ‎09-25-2014

Adrienne, yes that is certainly doable in my code. What is the SSL port? The HTTP port is 7335 given the URL http://cup.psdtemea.cisco.com:7335/httpbinding. The implicit 443 port does not work, for example, https://cup.psdtemea.cisco.com/httpbinding.

npetrele · ‎09-25-2014

There may be a problem with the cup server or pub-local server configuration. My demo programs which used to work fine no longer work. I get an authentication error. We'll look into it.

npetrele · ‎09-25-2014

Give it another try. I changed a configuration setting on the server and my demo programs work again.

van_staub · ‎09-26-2014

Re-tested. The behavior is better, but still getting an error. This was tested with the jabberUIDemo.html and CAXL-debug-2014.04.10787/doc/examples/sampleclient.html.

POST request:

<body xmlns="http://jabber.org/protocol/httpbind" xml:lang="en-US" xmlns:xmpp="urn:xmpp:xbosh" hold="1" ver="1.9" to="psdtemea.cisco.com" wait="30" xmpp:version="1.0" from="van_staub@psdtemea.cisco.com" rid="985027942"/>

POST response:

<body authid='839F3E897' inactivity='60' polling='5' requests='2' secure='true' sid='839F3E897' ver='1.8' wait='30' xmlns='http://jabber.org/protocol/httpbind' xmlns:stream='http://etherx.jabber.org/streams'><stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism><mechanism>CISCO-VTG-TOKEN</mechanism><hostname xmlns='urn:xmpp:domain-based-name:0'>cup.psdtemea.cisco.com</hostname></mechanisms></stream:features></body>

POST request:

<body xmlns="http://jabber.org/protocol/httpbind" sid="A7F05FE5F" rid="2762108986"><auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AHZhbl9zdGF1YgBjaXNjbzEyMzQ=</auth></body>

POST response:

What I find interesting about this is the Base64 value: AHZhbl9zdGF1YgBjaXNjbzEyMzQ=

If you decode that, it's van_staubcisco1234. Normally in a basic auth header you'd delimit with a colon. But this is all handled in the SDK, which I've not modified. What's the format of your auth value?

npetrele · ‎09-29-2014

Yes, I've seen this problem with the Jabber UI code before. I don't have an answer for it, and I haven't gotten an answer from the Jabber UI developers. I don't recommend the Jabber UI approach anyway, but that's just my personal preference. It's easier and more reliable to do the authentication yourself. Give my demo app (attached) a try, and view the code there. jQuery UI is easier to customize (and prettier, IMO).

van_staub · ‎09-29-2014

Thanks, Nicholas. Same error with your code. Presumably, the reservation isn't adding my account ID to the CUP server. This seems to be the same issue that happened with Re: A question about using Jabber API on a sandbox server. Using your code, I can authenticate with the name:password pair listed in that forum thread.

The delimiter theory I had is incorrect, since I can see the same behavior with the working user ID. I guess you don't need a delimiter if you also know the username. You can then compute the password starting point of the base64 decoded string using the number of chars in the username.

npetrele · ‎09-30-2014

Yes, I've seen that problem before (the reservation not creating the user correctly). I'll have a look at it and fix it if I can. I assume your username is van_staub, right?

npetrele · ‎09-30-2014

Ok, I deleted and recreated your account. Same password (I assume it was cisco1234, the standard password). I logged in with my sample code, and it worked for me.