Jigasi won't connect to Prosody when using hiddenDomain

Hello,

we’re trying to use Jigasi with Google Cloud API to get CC during Jitsi meetings. So far it seems to be working however, only Moderator can enable and see the subtitles. After moderator Starts Subtitles other conference participants neither see the transcribed text nor do they get the Start Subtitles menu item enabled. Plus, when Moderator starts subtitles the Transcriber call participant is visible to every conference member.

I saw in this forum that we need to configure Jigasi to connect from hidden domain. We’ve followed some code scripts posted by other users here to create a hidden domain however no matter what password we set for jigasi server to connect to prosody and no matter if we use internal_plain or internal_hashed authentication jigasi cannot connect to XMPP and this error is posted to logs:

2021-11-10 14:58:48.721 SEVERE: [38] impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin().1003 Failed to connect to XMPP service
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized
        at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:292)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1100)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
        at java.lang.Thread.run(Thread.java:748)

We tried both BASE64 encoded and plain text passwords for this property in jigasi sip-communicator.properties:

net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.PASSWORD

still without success.

Prosody debug log contains this:

Nov 10 14:44:28 socket  debug   server.lua: accepted new client connection from 127.0.0.1:57318 to 5222
Nov 10 14:44:28 c2s5558b4298770 info    Client connected
Nov 10 14:44:28 c2s5558b4298770 debug   Client sent opening <stream:stream> to jitsi.hiddendomain.com
Nov 10 14:44:28 c2s5558b4298770 debug   Sending[c2s_unauthed]: <?xml version='1.0'?>
Nov 10 14:44:28 c2s5558b4298770 debug   Sending[c2s_unauthed]: <stream:stream xmlns='jabber:client' xml:lang='en' version='1.0' id='63ee9644-e76d-4bc6-99ce-85c9177c80c1' from='jitsi.hiddendomain.com' xmlns:stream='http://etherx.jabber.org/streams'>
Nov 10 14:44:28 c2s5558b4298770 debug   Sent reply <stream:stream> to client
Nov 10 14:44:28 c2s5558b4298770 debug   Offering mechanism SCRAM-SHA-1
Nov 10 14:44:28 c2s5558b4298770 debug   Not offering mechanism PLAIN on insecure connection
Nov 10 14:44:28 c2s5558b4298770 debug   Should be able to do TLS but no context available
Nov 10 14:44:28 c2s5558b4298770 debug   Sending[c2s_unauthed]: <stream:features>
Nov 10 14:44:28 runner1iUl8Mnu  debug   creating new coroutine
Nov 10 14:44:28 c2s5558b4298770 debug   Received[c2s_unauthed]: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SCRAM-SHA-1'>
Nov 10 14:44:28 jitsi.hiddendomain.com:saslauth debug   sasl reply: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cj1VPm9yQUQvcDZtN1JEVyF+OS1DIVxZVzF+PlhgVmNzMmJiM2Y2NDQ0LTdiMWQtNDQ1OS04ZTlmLWRjY2VkZGI4OTRmMSxzPU1EbG1NalZsTmprdE9XTXpZeTAwTURneUxXRmxZalF0TXpkaE5qZzJOalZrTnpBdyxpPTQwOTY=</challenge>
Nov 10 14:44:28 c2s5558b4298770 debug   Sending[c2s_unauthed]: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
Nov 10 14:44:28 c2s5558b4298770 debug   Received[c2s_unauthed]: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
Nov 10 14:44:28 jitsi.hiddendomain.com:saslauth debug   sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text>The response provided by the client doesn&apos;t match the one we calculated.</text></failure>
Nov 10 14:44:28 c2s5558b4298770 debug   Sending[c2s_unauthed]: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
Nov 10 14:44:28 c2s5558b4298770 debug   Received[c2s_unauthed]: <presence type='unavailable' id='i1wiP-9'>
Nov 10 14:44:28 stanzarouter    debug   Unhandled c2s_unauthed stanza: presence; xmlns=jabber:client
Nov 10 14:44:28 c2s5558b4298770 debug   Sending[c2s_unauthed]: <presence id='i1wiP-9' type='error'>
Nov 10 14:44:28 c2s5558b4298770 debug   Received </stream:stream>
Nov 10 14:44:28 c2s5558b4298770 debug   Sending[c2s_unauthed]: </stream:stream>
Nov 10 14:44:28 c2s5558b4298770 debug   c2s stream for 127.0.0.1 closed: session closed
Nov 10 14:44:28 c2s5558b4298770 debug   Destroying session for (unknown) ((unknown)@jitsi.hiddendomain.com)
Nov 10 14:44:28 c2s5558b4298770 info    Client disconnected: connection closed
Nov 10 14:44:28 c2s5558b4298770 debug   Destroying session for (unknown) ((unknown)@(unknown))
Nov 10 14:44:28 socket  debug   server.lua: closed client handler and removed socket from list

Hidden domain is configured like this in prosody cfg:

VirtualHost "jitsi.hiddendomain.com"
    modules_enabled = {
        "limits_exception";
    }
    #authentication = "internal_hashed"
    authentication = "internal_plain" 
    c2s_require_encryption = "false"

Jigasi sip-communicator.properties:

net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.ACCOUNT_UID=Jabber:jigasi7@jitsi.hiddendomain.com
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.USER_ID=jigasi7@jitsi.hiddendomain.com
net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.ALLOW_NON_SECURE=true

we used BASE64 or plain text versions below, both doesn’t work

net.java.sip.communicator.impl.protocol.jabber.acc-xmpp-1.PASSWORD=password

Users in prosody were created with this command:

prosodyctl register jigasi7 jitsi.hiddendomain.com password

What are we doing wrong? Why can’t jigasi authenticate against prosody with the above setup? When we revert to the non-hidden domain user for jigasi and system generated password everything works except the transcriber user is visible to everyone and other conference members to do not get subtitles menu item as mentioned above.

Any help is much appreciated because we have been bumping our heads against the wall with this for many hours already.

Thank you for your time.

Andrew

This is the xmpp connection for dial-out. This normally goes to auth.domain.com and it has nothing to do with the domain for the clients.

To be able to join with jigasi when authentication is enabled you need to setup this:

Dear @damencho thank you very much for your help! Right, I was using incorrect properties. Those you have pointed out worked. Transcriber member is now hidden in conference and non-moderator users do get that Start Subtitles button after moderator starts subtitles.

Is there any way to show subtitles to all users without having them to click on that menu item if a moderator started subtitles?

Thank you,
Andrew

No such feature, sorry.