Openfire 2.8.3 (Debian 8 Jessie)+Spark 2.7.7 (Windows 7,8)+Windows 2012 R2 domain forest SSO Configuration Algorithm

Openfire Openfire Support
1

Hello folks! Finally want to clarify everything nessesary for configuring SSO for Openfire 2.8.3 (Debian 8 Jessie)+Spark 2.7.7 (Windows 7,8). There is a lot of confusion regarding to this configuration and somebody talking about Samba configuration and about joining the Openfire server to windows domain. So I understand the actual configuration steps are as following in common:

For example, we are having a following windows 2102 R2 forest domain - domain.local.

  1. During installation of an Openfire give it a name like openfire.domain.local

  2. Install and configure MySQL Server, create a database for Openfire Server (for example - OFDB) then create a user (for example - ofdbuser) and give all rights to this database to this user;

  3. Install krb5-user package and the configure krb5.conf file;

  4. Download .deb file for Openfire 3.8.2 and install it with dpkg utility;

  5. After this make the initial configuration of the Openfire server and connect it with LDAP. Change ownership for /var/lib/openfire for openfire user;

  6. On a Domain Controller then in DNS make a Host A with PTR record (so that not only a name can be resolved to ip but the ip to name also must be resolvable) record for the Openfire server so that the name can be resolved for all clients via network;

  7. On a Domain Controller creating a user (for example - of-user) with an infinite password and “Do not require Kerberos preauthentification” options;

  8. On a Domain Controller creating an SPN (via setspn utility) and tie it with a openfire server jabber domain and REALM (via ktpass utility) user created in a previous step;

  9. On a Domain Controller generate a .keytab file via ktpass utility and transfer this resulting file to /usr/share/openfire/resources folder of the Openfire server;

  10. On an Openfire server for user openfire changing ownership for this keytab file;

  11. Next on an Openfire server in a folder /etc/openfire/ making a file (via touch) gss.conf;

  12. On an Openfire serverin a System Properties adding the following parameters:

sasl.gssapi.config = /etc/openfire/gss.conf

sasl.gssapi.debug = false

sasl.gssapi.useSubjectCredsOnly = false

sasl.mechs = GSSAPI

sasl.realm = DOMAIN.LOCAL

xmpp.fqdn = openfire.domain.local

  1. For the client workstation with Spark 2.7.7 installed editing the registry with the following parameters:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

DWORD= AllowTGTSessionKey (value 1)

  1. For the client station adding in a C:\Windows krb5.ini file with the REALM and domain description.

  2. In a Spark client we are adding a Use Single Sign-On (SSO) via GSSAPI mark and in a server field we are typing a DNS name of the Openfire server (for example, - openfire.domain.local).

Am I right about all of this steps? Thanks in advance for all good advices!