powered by Jive Software

How To: Video on setting up SSO/AD with Openfire


#1

Warning…this video is pretty boring! This was my first attempt at creating a “how to” video. Hopefully someone will find it useful. The video only covers some basics. as Guus has stated in his video “…This video is intended as a demo that you can use to base your own process on. Don’t blindly follow these instructions, without giving thought to security, interoperability and performance.”

Use at your own risk!

feel free to use this as a reference as well


Need help setting up Openfire for SSO (Kerberos/GSSAPI) authentication againts Active Directory
New install of openfire / spark, Spark wont connect
Unknown Connection Error. Please review the logs for more information
Clients randomly disconnecting from OpenFire
Openfire+Spark+SSO is not working
Spark OpenFire SSO/LDAP with Win10 and 2k16 - SASLError using GSSAPI
Spark Configuration
How to configure sso in spark 2.8.x
#2

That looks too easy :smiley: Anyway, it wasn’t boring. I have learned a few things. You should have probably mentioned you were using x64 version with JRE bundled, so one using x86 won’t be looking for Openfire in regular Program files, etc. Maybe i saw some other places to clarify, but nothing major. Good guide :wink:
Btw, i see Xen being used for virtualization. That’s what Amazon uses?


#3

Hey speedy,

i tried your HowTo.
The LDAP-Connection worked fine, now i tried to setting up SSO, but i dont work for me.

My configs:

krb5.ini in C:/Windows:
[libdefaults]
    default_realm = XXX.NET

[realms]
    XXX.NET = {
        kdc = codc1.xxx.net
        admin_server = codc1.xxx.net
        default_domain = xxx.net


    } [domain_realms]
    xxx.net = XXX.NET
    .xxx.net = XXX.NET
gss.conf in C:\Program Files\Openfire\conf

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="XXX.NET"
    principal="xmpp/xmpp.xxx.net";
    debug=true;
};

Openfire Serversettings:

Spark-Settings:
image

When i try to LogIn, i got following answer:
image

Do you have any idea?

Thank you!!


#4

Did you remember to make the registry edit on the workstation? Try running spark "as administrator"
If using the included openfire self-signed certification, make sure spark is set to accept all certificates.


#5

Hello speedy,

thank u for ur reply.
Yes, the registry edit is done. Started Spark as administrator too.
Im using the included openfire certification, spark is set to accept all certificates in advanced options.

Today i will restart the openfireserver and workstation and try it again. I will contact you with the result.

Thanks, see u.


#6

So, i tried it now after a restart again. I got the same result.
image
Here is my registry entry on the workstation.

image
Advanced options about certificates.

Any ideas?

Thanks :slight_smile:

EDIT:

warn.log.0 says:

Feb 06, 2018 2:38:42 PM org.jivesoftware.spark.util.log.Log warning
WARNUNG: Exception in Login:
org.jivesoftware.smack.SmackException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:123)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)
	at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:236)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginNonAnonymously(XMPPTCPConnection.java:373)
	at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:457)
	at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1131)
	at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:335)
	at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:894)
	at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:138)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:120)
	... 10 more
Caused by: GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	... 12 more
Caused by: java.net.UnknownHostException: codc1.xxx.net
	at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
	at java.net.PlainSocketImpl.connect(Unknown Source)
	at java.net.SocksSocketImpl.connect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at sun.security.krb5.internal.TCPClient.<init>(Unknown Source)
	at sun.security.krb5.internal.NetClient.getInstance(Unknown Source)
	at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
	at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KdcComm.sendIfPossible(Unknown Source)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KrbTgsReq.send(Unknown Source)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
	... 15 more

#7

do you have a system property called xmpp.fqdn?
if not, please add it, with a value that matches your cname/dns record you used for your xmpp server.
for example:
xmpp.fqdn xmpp.XXX.net


#8

yes, i have.

my dns record:
image

and the xmpp.fqdn on openfire-server:
image

update:
old-login-window:
image

new:
image


#9

If you followed the video, than you likely have a cname xmpp.XXX.net that points to coof029.xxxxx.xxx. If so, use the cname for this value.


#10

Ok, i did a mistake - i dont have a cname.
I created it now.

still get the same error message… but maybe i shoud check the video a one more time, after i realized that missing cname.


#11

I followed the video, but I’m having issues as well. I know it DNS related, I get this error:

he following addresses failed: ‘_xmpp-client._tcp.dc02.xxx:5222’ failed because javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name ‘_xmpp-client._tcp.dc02.xxx’, ‘dc02.xxx:5222’ failed because java.net.ConnectException: Connection timed out: connect
at org.jivesoftware.smack.SmackException$ConnectionException.from(SmackException.java:255)

My server properties are
XMPP Domain Name- dc02.xxx

Environment
Server Host Name: dc02.xxx

I have added the SRV records just as the video stated, but I didn’t use “externaldomain.com”, I used my local domain zone.

SRV Record:
Domain: xxx.xxx
Service: xmpp-client
Protocol: _tcp
Port Number 5222
Host offering service: xmpp.xxx

CNNAME:
Alisa: xmpp
FQDB: xmpp.xxx
FQDN Target: dc02.xxx

What am I doing wrong?


#12

Abashi, i have replied on your other thread. Your xmpp domain and fqdn are wrong in Openfire. It shouldn’t be your server’s name.