How To: Video on setting up SSO/AD with Openfire

Warning…this video is pretty boring! This was my first attempt at creating a “how to” video. Hopefully someone will find it useful. The video only covers some basics. as Guus has stated in his video “…This video is intended as a demo that you can use to base your own process on. Don’t blindly follow these instructions, without giving thought to security, interoperability and performance.”

Use at your own risk!

feel free to use this as a reference as well

4 Likes

That looks too easy :smiley: Anyway, it wasn’t boring. I have learned a few things. You should have probably mentioned you were using x64 version with JRE bundled, so one using x86 won’t be looking for Openfire in regular Program files, etc. Maybe i saw some other places to clarify, but nothing major. Good guide :wink:
Btw, i see Xen being used for virtualization. That’s what Amazon uses?

Hey speedy,

i tried your HowTo.
The LDAP-Connection worked fine, now i tried to setting up SSO, but i dont work for me.

My configs:

krb5.ini in C:/Windows:
[libdefaults]
    default_realm = XXX.NET

[realms]
    XXX.NET = {
        kdc = codc1.xxx.net
        admin_server = codc1.xxx.net
        default_domain = xxx.net


    } [domain_realms]
    xxx.net = XXX.NET
    .xxx.net = XXX.NET
gss.conf in C:\Program Files\Openfire\conf

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="XXX.NET"
    principal="xmpp/xmpp.xxx.net";
    debug=true;
};

Openfire Serversettings:

Spark-Settings:
image

When i try to LogIn, i got following answer:
image

Do you have any idea?

Thank you!!

Did you remember to make the registry edit on the workstation? Try running spark "as administrator"
If using the included openfire self-signed certification, make sure spark is set to accept all certificates.

Hello speedy,

thank u for ur reply.
Yes, the registry edit is done. Started Spark as administrator too.
Im using the included openfire certification, spark is set to accept all certificates in advanced options.

Today i will restart the openfireserver and workstation and try it again. I will contact you with the result.

Thanks, see u.

So, i tried it now after a restart again. I got the same result.
image
Here is my registry entry on the workstation.

image
Advanced options about certificates.

Any ideas?

Thanks :slight_smile:

EDIT:

warn.log.0 says:

Feb 06, 2018 2:38:42 PM org.jivesoftware.spark.util.log.Log warning
WARNUNG: Exception in Login:
org.jivesoftware.smack.SmackException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:123)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)
	at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:236)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginNonAnonymously(XMPPTCPConnection.java:373)
	at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:457)
	at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1131)
	at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:335)
	at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:894)
	at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:138)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:120)
	... 10 more
Caused by: GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	... 12 more
Caused by: java.net.UnknownHostException: codc1.xxx.net
	at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
	at java.net.PlainSocketImpl.connect(Unknown Source)
	at java.net.SocksSocketImpl.connect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at sun.security.krb5.internal.TCPClient.<init>(Unknown Source)
	at sun.security.krb5.internal.NetClient.getInstance(Unknown Source)
	at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
	at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KdcComm.sendIfPossible(Unknown Source)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KrbTgsReq.send(Unknown Source)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
	... 15 more

do you have a system property called xmpp.fqdn?
if not, please add it, with a value that matches your cname/dns record you used for your xmpp server.
for example:
xmpp.fqdn xmpp.XXX.net

yes, i have.

my dns record:
image

and the xmpp.fqdn on openfire-server:
image

update:
old-login-window:
image

new:
image

If you followed the video, than you likely have a cname xmpp.XXX.net that points to coof029.xxxxx.xxx. If so, use the cname for this value.

1 Like

Ok, i did a mistake - i dont have a cname.
I created it now.

still get the same error message… but maybe i shoud check the video a one more time, after i realized that missing cname.

I followed the video, but I’m having issues as well. I know it DNS related, I get this error:

he following addresses failed: ‘_xmpp-client._tcp.dc02.xxx:5222’ failed because javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name ‘_xmpp-client._tcp.dc02.xxx’, ‘dc02.xxx:5222’ failed because java.net.ConnectException: Connection timed out: connect
at org.jivesoftware.smack.SmackException$ConnectionException.from(SmackException.java:255)

My server properties are
XMPP Domain Name- dc02.xxx

Environment
Server Host Name: dc02.xxx

I have added the SRV records just as the video stated, but I didn’t use “externaldomain.com”, I used my local domain zone.

SRV Record:
Domain: xxx.xxx
Service: xmpp-client
Protocol: _tcp
Port Number 5222
Host offering service: xmpp.xxx

CNNAME:
Alisa: xmpp
FQDB: xmpp.xxx
FQDN Target: dc02.xxx

What am I doing wrong?

Abashi, i have replied on your other thread. Your xmpp domain and fqdn are wrong in Openfire. It shouldn’t be your server’s name.

Nice, detailed video, but I’d never want my installation to be accessible from an external domain. What changes would I need to make to do this without using an external domain?

Speedy might comment on the keytab file part, but i guess you do everything the same, just use internal domain instead of external domain (it is only an example here). So your SRV record would point to xmpp.irt.local. SPN probably will look like xmpp/xmpp.irt.local@irt.local and so on.

That is correct. Just substitute with your internal domain. Keep in mind, just because you are using your external domain as your xmpp domain, doesn’t mean it will be accessible from the outside. For external access you’d still need external DNS setup and firewall rules to allow the traffic. I like to use my external domain as my xmpp domain for many reason. Mainly so that my users email addresses and the jids are the same. this simplifies things for them. It will also allow you to more easily federate or allow for external access in the future should you choose to do so.

Thanks. I think I got it to work. Of course, I then realized that 80% of my users are still using the 2.7.x client, so they won’t connect to the new setup using DNS. The next couple of days will be spent upgrading al the PCs in my network with the newer 2.8 client. I appreciate the quick response - it was a big help.

Do you have higher resolution for the same video ?
some text details can not be seen.

thanks

I’m afraid not. I made that video a while ago

I made an account specifically for this problem. I have for years tried to get to this to work. It still does not work but I feel like this was the closest I have gotten. Is there anyway you or someone can help me get this to work?

I have configured the following:

spark.domain.local in DNS as Forward look up zone in windows DNS. An A record pointing to the openfire server (which is an DC as well) of FQDN of spark.domain.local with a PTR record as well. i have a srv record _xmpp-client pointed to domain spark.domain.local HOST openfireserver.domain.local with port 5222.

my gss.conf is as follows:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”
doNotPrompt=true
useKeyTab=true
realm=“DOMAIN.LOCAL”
principal=“xmpp/spark.domain.local@domain.local”;
debug=true;
};

my krb5.ini:
[libdefaults]
default_realm = DOMAIN.LOCAL

[realms]
DOMAIN.LOCAL = {
kdc = openfire.domain.local
admin_server = openfire.domain.local
default_domain = domain.local

} [domain_realms]
domain.local = DOMAIN.LOCAL
.DOMAIN.local = DOMAIN.LOCAL

I made a keytab file as in this video with accounts in AD.
I added server properties:
sasl.realm = DOMAIN.LOCAL
sasl.gssapi.useSubjectCredsOnly = false
xmpp.domain = spark.domain.local (This was already there)
xmpp.fdqn = spark.domain.local

I get this error:
rg.jivesoftware.smack.SmackException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:127)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:193)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:157)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:202)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginInternal(XMPPTCPConnection.java:403)
at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:546)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1128)
at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:370)
at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:910)
at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:139)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:124)
… 10 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
… 12 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
… 19 more

Please tell me what I am doing wrong. I have krb5.ini in my windows dir of open fireserver / DC. I have keytab in resources dir of open fire, and the gss.conf in the openfire conf dir. These are the exact way they are written in with the exception of the actual domain name for security purposes.

its been a while since I’ve set this up. I’ve been meaning to setup a home lab but have yet been able to (both time, and no hardware). My job role has changed, and I no longer have access to things I once did. :frowning: