How To: Video on setting up SSO/AD with Openfire

speedy 2017-10-16 05:46:22 UTC #1

Warning…this video is pretty boring! This was my first attempt at creating a “how to” video. Hopefully someone will find it useful. The video only covers some basics. as Guus has stated in his video “…This video is intended as a demo that you can use to base your own process on. Don’t blindly follow these instructions, without giving thought to security, interoperability and performance.”

Use at your own risk!

feel free to use this as a reference as well

New install of openfire / spark, Spark wont connect

Clients randomly disconnecting from OpenFire

Need help setting up Openfire for SSO (Kerberos/GSSAPI) authentication againts Active Directory

Openfire+Spark+SSO is not working

Unknown Connection Error. Please review the logs for more information

Spark Configuration

How to configure sso in spark 2.8.x

wroot 2017-10-16 18:29:31 UTC #2

That looks too easy Anyway, it wasn’t boring. I have learned a few things. You should have probably mentioned you were using x64 version with JRE bundled, so one using x86 won’t be looking for Openfire in regular Program files, etc. Maybe i saw some other places to clarify, but nothing major. Good guide
Btw, i see Xen being used for virtualization. That’s what Amazon uses?

coenen 2018-02-02 13:42:53 UTC #3

Hey speedy,

i tried your HowTo.
The LDAP-Connection worked fine, now i tried to setting up SSO, but i dont work for me.

My configs:

krb5.ini in C:/Windows:
[libdefaults]
    default_realm = XXX.NET

[realms]
    XXX.NET = {
        kdc = codc1.xxx.net
        admin_server = codc1.xxx.net
        default_domain = xxx.net


    } [domain_realms]
    xxx.net = XXX.NET
    .xxx.net = XXX.NET

gss.conf in C:\Program Files\Openfire\conf

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="XXX.NET"
    principal="xmpp/xmpp.xxx.net";
    debug=true;
};

Openfire Serversettings:

Spark-Settings:

When i try to LogIn, i got following answer:

Do you have any idea?

Thank you!!

speedy 2018-02-02 16:44:10 UTC #4

Did you remember to make the registry edit on the workstation? Try running spark "as administrator"
If using the included openfire self-signed certification, make sure spark is set to accept all certificates.

coenen 2018-02-05 15:26:10 UTC #5

Hello speedy,

thank u for ur reply.
Yes, the registry edit is done. Started Spark as administrator too.
Im using the included openfire certification, spark is set to accept all certificates in advanced options.

Today i will restart the openfireserver and workstation and try it again. I will contact you with the result.

Thanks, see u.

coenen 2018-02-06 09:19:48 UTC #6

So, i tried it now after a restart again. I got the same result.

Here is my registry entry on the workstation.

Advanced options about certificates.

Any ideas?

Thanks

EDIT:

warn.log.0 says:

Feb 06, 2018 2:38:42 PM org.jivesoftware.spark.util.log.Log warning
WARNUNG: Exception in Login:
org.jivesoftware.smack.SmackException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:123)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)
	at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:236)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginNonAnonymously(XMPPTCPConnection.java:373)
	at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:457)
	at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1131)
	at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:335)
	at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:894)
	at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:138)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:120)
	... 10 more
Caused by: GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	... 12 more
Caused by: java.net.UnknownHostException: codc1.xxx.net
	at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
	at java.net.PlainSocketImpl.connect(Unknown Source)
	at java.net.SocksSocketImpl.connect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at sun.security.krb5.internal.TCPClient.<init>(Unknown Source)
	at sun.security.krb5.internal.NetClient.getInstance(Unknown Source)
	at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
	at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KdcComm.sendIfPossible(Unknown Source)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KrbTgsReq.send(Unknown Source)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
	... 15 more

speedy 2018-02-06 14:16:38 UTC #7

do you have a system property called xmpp.fqdn?
if not, please add it, with a value that matches your cname/dns record you used for your xmpp server.
for example:
xmpp.fqdn xmpp.XXX.net

coenen 2018-02-06 14:24:49 UTC #8

yes, i have.

my dns record:

and the xmpp.fqdn on openfire-server:

update:
old-login-window:

new:

speedy 2018-02-06 14:51:37 UTC #9

If you followed the video, than you likely have a cname xmpp.XXX.net that points to coof029.xxxxx.xxx. If so, use the cname for this value.

coenen 2018-02-06 15:41:19 UTC #10

Ok, i did a mistake - i dont have a cname.
I created it now.

still get the same error message… but maybe i shoud check the video a one more time, after i realized that missing cname.

Abashi 2018-02-08 21:22:54 UTC #11

I followed the video, but I’m having issues as well. I know it DNS related, I get this error:

he following addresses failed: ‘_xmpp-client._tcp.dc02.xxx:5222’ failed because javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name ‘_xmpp-client._tcp.dc02.xxx’, ‘dc02.xxx:5222’ failed because java.net.ConnectException: Connection timed out: connect
at org.jivesoftware.smack.SmackException$ConnectionException.from(SmackException.java:255)

My server properties are
XMPP Domain Name- dc02.xxx

Environment
Server Host Name: dc02.xxx

I have added the SRV records just as the video stated, but I didn’t use “externaldomain.com”, I used my local domain zone.

SRV Record:
Domain: xxx.xxx
Service: xmpp-client
Protocol: _tcp
Port Number 5222
Host offering service: xmpp.xxx

CNNAME:
Alisa: xmpp
FQDB: xmpp.xxx
FQDN Target: dc02.xxx

What am I doing wrong?

wroot 2018-02-08 21:26:35 UTC #12

Abashi, i have replied on your other thread. Your xmpp domain and fqdn are wrong in Openfire. It shouldn’t be your server’s name.

Ignite Realtime