Openfire+Spark+SSO not worked

Eugene9 · October 18, 2013, 6:49am

Win2003 Server SP2 -> dc.domain.com

Win2012 R2 Datacenter Preview -> srv.domain.com (Openfire)

use this manual and other.

My steps:

create on DC xmpp-openfire user, set password qwerty with options “Unable to change password”, “Password never expires” and “Does not require Kerberos Preauthentication”
for xmpp-openfire create Kerberos XMPP SPN on DC

setspn -A xmpp/srv.domain.com@DOMAIN.COM xmpp-openfire

for xmpp-openfire create map Kerberos XMPP SPN on DC, set password qwerty

ktpass -princ xmpp/srv.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL

create xmpp.keytab file on DC, set password qwerty

ktpass -princ xmpp/srv.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

on srv.domain.com create folder \of_conf
xmpp.keytab copy to srv.domain.com in folder \of_conf
create file gss.conf in folder \of_conf

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    keyTab="C:/of_conf/xmpp.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="DOMAIN.COM"
    principal="xmpp/srv.domain.com@DOMAIN.COM"
    debug=true;
};

create file krb5.ini on app.domain.com, copy to root folder **c:**, else krb5.ini not located

[libdefaults]
    default_realm = DOMAIN.COM
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]
    DOMAIN.COM = {
        kdc = dc.domain.com
        admin_server = dc.domain.com
        default_domain = domain.com
    } [domain_realms]
    domain.com = DOMAIN.COM
    .domain.com = DOMAIN.COM

change openfire.xml, inside tags

<!-- sasl configuration -->    <sasl>     <mechs>GSSAPI</mechs>      <realm>DOMAIN.COM</realm>      <gssapi>       <debug>true</debug>        <config>C:/of_conf/gss.conf</config>        <useSubjectCredsOnly>false</useSubjectCredsOnly>     </gssapi>   </sasl>
    <authorization>       <classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList>     </authorization>

go to web browser htpp://srv.domain.com:9090

choose English
internal base
AD (LDAP)
server type Active Directory, host = dc.domain.com, BaseDN = dc=domain, dc=com, AdminDN (interested!) not dc=adm, dc=domain, dc=com, in my case dc=Eugene Smith, dc=domain, dc=com
add admin login adm
go to User/Groups and now see AD users
go to Server -> Server Manager -> System Properties add property xmpp.fqdn = srv.domain.com

set firewall rules srv.domain.com, add TPC and UDP with ports 5222, 5223, 5229, 7070, 7443, 9090, 9091
set regedit.exe parameter

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

and restart PC

Run Spark, setup options and set Use Single Sign-On (SSO) GSSAPI, save, checking This will use the Desktop Account for “***” to login to the server, *** = adm@DOMAIN.COM
type adm, server srv.domain.com and try

not work SSO. In Spark logs:

java.lang.IllegalStateException: Not connected to server.
    at org.jivesoftware.smack.XMPPConnection.sendPacket(XMPPConnection.java:445)
    at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:69)
    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:352)
    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
    at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
    at java.lang.Thread.run(Unknown Source)
18.10.2013 9:07:35 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
java.lang.IllegalStateException: Not connected to server.
    at org.jivesoftware.smack.XMPPConnection.sendPacket(XMPPConnection.java:445)
    at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:69)
    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:362)
    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
    at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
    at java.lang.Thread.run(Unknown Source)

on cmd Spark computer use

telnet srv.domain.com 5222

and server answer.

Spark Java

C:\Program Files (x86)\Spark\jre\bin>java -version
java version "1.6.0_18"
Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)

DNS configured on dc.domain.com

C:\Program Files\Windows Resource Kits\Tools>klist.exe tgt Cached TGT: ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: adm
DomainName: DOMAIN.LOCAL
TargetDomainName: DOMAIN.LOCAL
AltTargetDomainName: DOMAIN.LOCAL
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 7:00:00
StartTime: 10/18/2013 9:22:58
EndTime: 10/18/2013 19:22:58
RenewUntil: 10/25/2013 9:22:58
TimeSkew: 1/1/1601 7:00:00

PS:

set Spark debug and now see

srv.dimain.com
5222
2013.10.18 12:39:15 PM
Active

<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<iq id="UCx4u-0" type="get"><query xmlns="jabber:iq:auth"><username>adm</username></query></iq>
<presence id="UCx4u-1" type="unavailable"></presence>
<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">

How fix???

M_Tejera · October 18, 2013, 7:34am

The krb5.ini should not be in c:\ root, but in C:\windows

If you’re still having problems, you can also create an additional SPN record with the FQDN name of the server without the @DOMAIN

Something like

setspn.exe -A xmpp/FQDN.SERVER.NAME xmpp-openfire

And recreate the keytab, and test it with

kinit -k -t xmpp.keytab xmpp/FQDN.SERVER.NAME

Eugene9 · October 18, 2013, 8:18am

Execute on dc.domain.com:

C:\Program Files\Support Tools>setspn.exe -A xmpp/SRV.DOMAIN.COM xmpp-openfire

Registering ServicePrincipalNames for CN=xmpp-openfire,CN=Users,DC=domain,DC=com

** xmpp/SRV.DOMAIN.COM**

Updated object

Create xmpp.keytab:

C:\Program Files\Support Tools>ktpass -princ xmpp/srv.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

Targeting domain controller: dc.domain.com

Using legacy password setting method

Successfully mapped xmpp/srv.domain.com to xmpp-openfire.

Type the password for xmpp/srv.domain.com:

Type the password again to confirm:

Key created.

Output keytab to xmpp.keytab:

Keytab version: 0x502

keysize 96 xmpp/srv.domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 11 etype 0x17 (RC4-HMAC) keylength 16 (0x29dc6e19b0a64cbe33f3e6199c5d9542)

Test on Openfire server (krb5.ini set in c:\windows):

C:\Program Files\Openfire\jre\bin>kinit -k -t xmpp.keytab xmpp/SRV.DOMAIN.COM

Exception: invalid Principal name: xmpp/SRV.DOMAIN>COM Could not load configuration file \krb5.ini

java.lang.IllegalArgumentException: invalid Principal name: xmpp/SRV.DOMAIN.COM Could not load configuration file \krb5.ini

** at sun.security.krb5.internal.tools.KinitOptions.(Unknown Source)**

** at sun.security.krb5.internal.tools.Kinit.(Unknown Source)**

** at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)**

Moving krb5.ini into c:\ and try again:

C:\Program Files\Openfire\jre\bin>kinit -k -t xmpp.keytab xmpp/SRV.DOMAIN.COM

New ticket is stored in cache file C:\Users\adm\krb5cc_adm

Copy xmpp.keytab into c:\of_conf, restart server and try connect to server

SSO not worked. Situation not changed, error logs not changed.

speedy · October 18, 2013, 4:57pm

Here is a document that I wrote up a few months ago. Let me know if you have any questions.

http://community.igniterealtime.org/docs/DOC-2585

Eugene9 · October 21, 2013, 4:35am

Thanx to all. SSO is work.

Thanx speedy for helpful answer, but not only this is right. I’am use more different helps from internet. Openfire community very need usable SSO wiki , perhaps I’am make it later.

Skatalitico · October 31, 2013, 7:47pm

Can you put how did you solved, cause i have the same problem.

Eugene9 · November 1, 2013, 3:22am

some docs was done, but only russian language

on holidays i’m try translate and reply for you (and other)… be patient.

Skatalitico · December 18, 2013, 3:44pm

thanks Eugente, I’m patitent,jmm but how many holidays left?, thanks

Skatalitico · December 18, 2013, 3:45pm

or sendme the russian docs and i google translate it

speedy · December 18, 2013, 4:19pm

what problem are you having?

Eugene9 · December 19, 2013, 12:56am

Excuse me, I need for the project was not the actual first and postponing promised I left the next day, but eventually forgot all about it. The document is not finished yet, but I think the hardest thing it describes. Where do I send you the file?

Skatalitico · December 19, 2013, 1:05pm

thanks Eugene, you cand send it to juegosdexbox360@gmail.com