powered by Jive Software

Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue

Howdy folks! Really excited about possibilities of Openfire product but really feeling terrible because I can’t configure SSO. Want it so match but everything seems so cryptic and saw no clair instruction on how I suppose to configure OF 3.6.8 in conditions similar to mine. Error is typical, it correctly define username but authentification fails and it tells me about principal and server configuration issues. Server logs are giving me no clues as to what is happening when the client trying to authentificate on server. Ordinary authentification works perfect. Can somebody give me a link to instruction about configuring of SSO in similar to mine conditions? Also I have some questions about SSO configuration.

  1. krb5.conf (Openfire server 3.6.8) and krb5.ini (computers with Spark clients) should be the same. Am I right?

  2. What kind of packets should I apt-get install on my OF server? krb5, winbind, samba, ntpdate and what else?

  3. On DNS in reverse lookup zone I see no record (Host A) for xmpp/… Is it OK? Everything resolves without problems and I joined succesfully OF server to AD.

Thanks in advance!

P.S. definitely it is not a cakewalk to configure SSO with Openfire))

take a look at

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

the processes is pretty much the same with linux ( in my testing anyway). all the work is done at the domain controller, so all you have to do is adjust the paths in the gss.conf file and openfire system properties to work with linux.

I don’t believe you need a krb5.conf on the linux box.

you will need a ptr record unless you disable the dns check within the clients krb5.ini

also, OF is currently at 4.0.3…so you may want to upgrade…

No, I really don’t want to install 4.0.3. I tested it and it haves several terrible glitches which make it virtually impossible to use (dissapearing roasters, UTF8 problems which can’t be solved via previous solutions and etc). This PTR record what do mean by it? Everything resolves correctly so I think it exists. Just look at this output of nslookup which I made on domain controller:

Default Server: localhost

Address: 127.0.0.1

communicator

Server: localhost

Address: 127.0.0.1

Name: communicator.domain.local

Address: 10.97.100.7

10.97.100.7

Server: localhost

Address: 127.0.0.1

Name: communicator.domain.local

Address: 10.97.100.7

Localhost is the domain controller and 10.97.100.7 is the address of the openfire server. Maybe I am having a problem because before adding Debian machine (Openfire server) to domain I manually created a record in DNS. Anyway should I add my Openfire server to a domain environment?

And BTW I also used default_jre when I installed java for the openfire server (NOT the sun which is not allowed in repositories nowadays). May it be the source of the problem? My gss.conf is the following:

root@COMMUNICATOR:~# cat /etc/openfire/gss.conf

  1. com.sun.security.auth.module.Krb5LoginModule
    required

    storeKey=true

keyTab="/usr/share/openfire/resources/xmpp.keytab"

doNotPrompt=true

useKeyTab=true

realm="DOMAIN.LOCAL"

principal=“xmpp/communicator.domain.local@DOMAIN.LOCAL”

isInitiator=false

debug=true;

};

Here is my krb5.conf (openfire server named COMMUNICATOR):

root@COMMUNICATOR:# cat /etc/krb5.conf

[libdefaults]

default_realm = DOMAIN.LOCAL

    kdc_timesync = 1

    forwardable = true

    proxiable = true

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]

    DOMAIN.LOCAL = {

      kdc = dc.domain.local

default_domain = DOMAIN.LOCAL

    }

[domain_realm]

.domain.local = DOMAIN.LOCAL

    domain.local = DOMAIN.LOCAL

Here is my krb5.ini for the client with Spark 2.7.7 installed (I dropped it in C:/Windows):

[libdefaults]

default_realm = DOMAIN.LOCAL

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

[realms]

    DOMAIN.LOCAL = {

      kdc = dc.domain.local

default_domain = DOMAIN.LOCAL

    }

[domain_realm]

.domain.local = DOMAIN.LOCAL

    domain.local = DOMAIN.LOCAL

I added the following DWORD parameter to registry of the clients (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters):

allowtgtsessionkey = 1

And I added the following values to my OF server System Properties:

  1. sasl.gssapi.config = /etc/openfire/gss.conf
  2. sasl.gssapi.debug = false
  3. sasl.gssapi.useSubjectCredsOnly = false
  4. sasl.mechs = GSSAPI
  5. sasl.realm = DOMAIN.LOCAL
  6. xmpp.fqdn = communicator.domain.local

What else can I do? Really it so difficult to understand why it doesn’t work. Also I turned on some debugging on a Spark and it writes the following:

a common mistake is to make sure your xmpp.domain matches what you used for your SPN

Can you be such a nice person and point the exact line with a mistake and write down how it should look like. Thank you.

when you sign into your openfire admin console, what do you have for “Server Name”? Does that match what you used when you created your SPN?

Hmm…I am having communicator there because this is the name of my openfire server and it resolves correctly via DNS. I tried ip address there and tried to write fqdn there (like communicator.domain.local). My user for openfire name is xmpp_user (password never expires and Kerberos preauthentificate). So in my case what should be in the Server Name field?

Well…Here is the output of commands which I issued on a domain controller (BTW I have two of them):

Microsoft Windows [Version 6.1.7601]

Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>setspn -A xmpp/communicator.domain.local@DOMAIN.LOCAL

xmpp-openfire

Registering ServicePrincipalNames for CN=xmpp-openfire,OU=Service Accounts,DC=domain, DC=local

xmpp/communicator.domain.local@DOMAIN.LOCAL

Updated object

C:\Users\Administrator>ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL

.INT -mapuser xmpp-openfire@domain.local -pass * -ptype KRB5_NT_PRINCIPAL

Targeting domain controller: dc.domain.local

Successfully mapped xmpp/communicator.domain.local to xmpp-openfire.

Type the password for xmpp/communicator.domain.local:

Type the password again to confirm:

Password succesfully set!

Key created.

C:\Users\Administrator>ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL

.INT -mapuser xmpp-openfire@domain.local -pass * -ptype KRB5_NT_PRINCIPAL -out

xmpp.keytab

Targeting domain controller: dc.domain.local

Successfully mapped xmpp/communicator.domain.local to xmpp-openfire.

Type the password for xmpp/communicator.domain.local:

Type the password again to confirm:

Password succesfully set!

Key created.

Output keytab to xmpp.keytab:

Keytab version: 0x502

keysize 82 xmpp/communicator.domain.local@DOMAIN.LOCAL ptype 1 (KRB5_NT_PRIN

CIPAL) vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0x5cb572987582c0615b0b3244599e3

fbb)

Victor,

Sorry to hear about your 4.0.3 troubles. Have Jira issues been raised for them? Are the same issues existing with current 4.1 development master branch builds?

daryl

Nope I did nothing. I downloaded from the official place a week ago the last version and was horrified. It is very common for opensource products to be very unstable before some time will not pass. So it much wise to look for older versions IMHO which were tested by a lot of people.

Thank you for you interest anyway. I think Openfire and Spark are greater than costly Lync anyway though much more cryptic and complicated.

the “Server Name” aka XMPP Domain, is like that of the domain part in an email address. This should NOT a shortname. It should be the FQDN/FQHN, or the root of a domain (like igniterealtime.org). HOWERVER if you use the root of a domain, you’ll then need to create SRV records that resolved to the fqdn/fqhn of the server.

So, in your case, you created you SPN record to be communicator.domain.local, so your xmpp domain/server name should be communicator.domain.local and not just communicator.

Once you update this, your JID would be @communicator.domain.local instead of @communicator

Once you update this, you’ll also need to regenerate your certs and possibly update your admin.authorizedJIDs. (if its there).

It sounds so complicated. However I think I understood that the username should be authomatically identified by SSO the following way: username@COMMUNICATOR.DOMAIN.LOCAL and NOT like username@DOMAIN.LOCAL. Am I right?

Please, can you give me the exact commands for DC to make jabber domain correct?

I can’t give you the commands without knowing all the correct variables.

think of your JID (xmpp address), like an email address

email address is @whatever.com but uses an MX record so that clients can correctly resolve and find your server. so your mx record may point to mailserver.whatever.com

xmpp works kinda the same way. if you want your xmpp domain to be @whatever.com, then you’ll have to create a SRV record that clients can use to find the host its running on, like xmpp.whatever.com, but unlike email, you can also use the full server name as your domain, without SRV as long as its resolvable. so instead of your domain being @whatever.com, it can be @xmpp.whatever.com without the SRV record as long as you have an A record for xmpp.whatever.com.

Does that make sense?

So…it depends on what you want to do…if this is internal only, and you can create a xmpp domain based on your internal network. if you want to do some S2S, and federate to the outside, than you’ll want to go another route. So depending on what you decide, and what you name your “Server Name” or XMPP Domain, will decide on what you use going forward.

My oh my! I think I am starting to follow what you are talking about. Really, I don’t have SRV records in DNS (only Host A). I read a article about this matter (Clarification needed - DNS SRV Record ) So, I can avoid all of this mess playing with the commands on a DC if I will create 3 SRV records in DNS. Like this:

xmpp-server.tcp.domain.local IN SRV 0 0 5269 communicator.domain.local.

xmpp-client.tcp.domain.local IN SRV 0 0 5222 communicator.domain.local.

jabber.tcp.domain.local IN SRV 0 0 5269 communicator.domain.local

Am I right?

Probably in the future (maybe someday:)) I want to try to integrate my Openfire with a Lync in a main company (we are having a sub-domain). Is it possible and which way should I choose in this case?

no…SSO and your xmpp domain are two separate things.but to get SSO to work, your SPN has to match your xmpp domain.

first lets do this…

will your server be for internal use only? do you want other servers to be able to find yours?

speedy написал(а):

first lets do this…

will your server be for internal use only? do you want other servers to be able to find yours?

I edited my previous post and wrote the answer there. For internal and probably for future integration with the Lync in head company.

so for internal only, you can probably get by using communicator.domain.local as your Server Name/xmpp domain

since youve done all the SPN based an that, there shouldn’t be much else for you to do except delete the old cert and recreate it, plus update your admin.authorizedJIDs before restarting

What about SVR records? I have none (only Host A record). Should I create this 3 records in DNS:

xmpp-server.tcp.domain.local IN SRV 0 0 5269 communicator.domain.local.

xmpp-client.tcp.domain.local IN SRV 0 0 5222 communicator.domain.local.

jabber.tcp.domain.local IN SRV 0 0 5269 communicator.domain.local

DNS is completely different server (domain controller) than COMMUNICATOR in my environment.

no…no need for SRV records

speedy написал(а):

since youve done all the SPN based an that, there shouldn’t be much else for you to do except delete the old cert and recreate it, plus update youradmin.authorizedJIDs before restarting

Oh my…This is a new experience for me and the questions are the following:

  1. How to delete the old cert? You mean to delete keytab.xmpp which I put onto /usr/share/openfire/resources on COMMUNICATOR and to generate it again with the command like this on DC:

ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL -mapuser xmpp-openfire@domain.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

Am I right?

  1. How to update myadmin.authorizedJIDs? Never heard about it.

OK. I understood about the certificates and AdminJID. I want to clarify:

speedy написал(а):

so for internal only, you can probably get by using communicator.domain.local as your Server Name/xmpp domain

since youve done all the SPN based an that

speedy написал(а):

when you sign into your openfire admin console, what do you have for “Server Name”? Does that match what you used when you created your SPN?

Server Name - communicator.domain.local

C:\Users\Administrator>setspn -A xmpp/communicator.domain.local@DOMAIN.LOCAL

xmpp-openfire

Registering ServicePrincipalNames for CN=xmpp-openfire,OU=Service Accounts,DC=domain,DC=local

xmpp/communicator.domain.local@DOMAIN.LOCAL

Updated object

xmpp-openfire it is my special user in AD for Kerberos.

Is there is a mistake according to what you wrote before?

speedy написал(а):

a common mistake is to make sure your xmpp.domain matches what you used for your SPN

Then how it should be? I am totally confused. As far as I undestood when I issue this commands on a domain controller they should look like this:

  1. Creating an SPN for xmpp service pointing to the Openfire server and special Kerberos user account

C:\Users\Administrator>setspn -A xmpp/communicator.domain.local@DOMAIN.LOCAL

xmpp-openfire

  1. Making a tie between SPN and Kerberos user account in AD

C:\Users\Administrator>ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL

.INT -mapuser xmpp-openfire@communicator.domain.local -pass * -ptype KRB5_NT_PRINCIPAL

  1. Generating a keytab file for APN and Kerberos user account

C:\Users\Administrator>ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL

.INT -mapuser xmpp-openfire@communicator.domain.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

I underlined what I don’t included in my commands in current installation. After issuing new commands I should put new xmpp.keytab into /usr/share/openfire/resources and changing ownership to this file with this:

cd /usr/share/openfire/resources

chown openfire:openfire xmpp.keytab

After all of this stuff I

speedy написал(а):

delete the old cert and recreate it, plus update youradmin.authorizedJIDs before restarting

Am I described the correct way to fix the SSO troubles?