powered by Jive Software

Openfire+Spark+SSO not worked

Win2003 Server SP2 -> dc.domain.com

Win2012 R2 Datacenter Preview -> srv.domain.com (Openfire)

Win7 Pro -> app.domain.com (Spark)

use this manual and other.

My steps:

  1. create on DC xmpp-openfire user, set password qwerty with options “Unable to change password”, “Password never expires” and “Does not require Kerberos Preauthentication”

  2. for xmpp-openfire create Kerberos XMPP SPN on DC

setspn -A xmpp/srv.domain.com@DOMAIN.COM xmpp-openfire
  1. for xmpp-openfire create map Kerberos XMPP SPN on DC, set password qwerty
ktpass -princ xmpp/srv.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL
  1. create xmpp.keytab file on DC, set password qwerty
ktpass -princ xmpp/srv.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab
  1. on srv.domain.com create folder \of_conf

  2. xmpp.keytab copy to srv.domain.com in folder \of_conf

  3. create file gss.conf in folder \of_conf

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    keyTab="C:/of_conf/xmpp.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="DOMAIN.COM"
    principal="xmpp/srv.domain.com@DOMAIN.COM"
    debug=true;
};
  1. create file krb5.ini on app.domain.com, copy to root folder **c:**, else krb5.ini not located
[libdefaults]
    default_realm = DOMAIN.COM
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]
    DOMAIN.COM = {
        kdc = dc.domain.com
        admin_server = dc.domain.com
        default_domain = domain.com
    } [domain_realms]
    domain.com = DOMAIN.COM
    .domain.com = DOMAIN.COM
  1. change openfire.xml, inside tags
<!-- sasl configuration -->    <sasl>     <mechs>GSSAPI</mechs>      <realm>DOMAIN.COM</realm>      <gssapi>       <debug>true</debug>        <config>C:/of_conf/gss.conf</config>        <useSubjectCredsOnly>false</useSubjectCredsOnly>     </gssapi>   </sasl>
    <authorization>       <classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList>     </authorization>
  1. go to web browser htpp://srv.domain.com:9090
  • choose English

  • internal base

  • AD (LDAP)

  • server type Active Directory, host = dc.domain.com, BaseDN = dc=domain, dc=com, AdminDN (interested!) not dc=adm, dc=domain, dc=com, in my case dc=Eugene Smith, dc=domain, dc=com

  • add admin login adm

  • go to User/Groups and now see AD users

  • go to Server -> Server Manager -> System Properties add property xmpp.fqdn = srv.domain.com

  1. set firewall rules srv.domain.com, add TPC and UDP with ports 5222, 5223, 5229, 7070, 7443, 9090, 9091

  2. set regedit.exe parameter

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

and restart PC

  1. Run Spark, setup options and set Use Single Sign-On (SSO) GSSAPI, save, checking This will use the Desktop Account for “***” to login to the server, *** = adm@DOMAIN.COM

  2. type adm, server srv.domain.com and try

not work SSO. In Spark logs:

java.lang.IllegalStateException: Not connected to server.
    at org.jivesoftware.smack.XMPPConnection.sendPacket(XMPPConnection.java:445)
    at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:69)
    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:352)
    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
    at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
    at java.lang.Thread.run(Unknown Source)
18.10.2013 9:07:35 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
java.lang.IllegalStateException: Not connected to server.
    at org.jivesoftware.smack.XMPPConnection.sendPacket(XMPPConnection.java:445)
    at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:69)
    at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:362)
    at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
    at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
    at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
    at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
    at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
    at java.lang.Thread.run(Unknown Source)

on cmd Spark computer use

telnet srv.domain.com 5222

and server answer.

Spark Java

C:\Program Files (x86)\Spark\jre\bin>java -version
java version "1.6.0_18"
Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)

DNS configured on dc.domain.com

C:\Program Files\Windows Resource Kits\Tools>klist.exe tgt Cached TGT: ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: adm
DomainName: DOMAIN.LOCAL
TargetDomainName: DOMAIN.LOCAL
AltTargetDomainName: DOMAIN.LOCAL
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 7:00:00
StartTime: 10/18/2013 9:22:58
EndTime: 10/18/2013 19:22:58
RenewUntil: 10/25/2013 9:22:58
TimeSkew: 1/1/1601 7:00:00

PS:

set Spark debug and now see

srv.dimain.com
5222
2013.10.18 12:39:15 PM
Active
<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<iq id="UCx4u-0" type="get"><query xmlns="jabber:iq:auth"><username>adm</username></query></iq>
<presence id="UCx4u-1" type="unavailable"></presence>
<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">

How fix???

The krb5.ini should not be in c:\ root, but in C:\windows

If you’re still having problems, you can also create an additional SPN record with the FQDN name of the server without the @DOMAIN

Something like

setspn.exe -A xmpp/FQDN.SERVER.NAME xmpp-openfire

And recreate the keytab, and test it with

kinit -k -t xmpp.keytab xmpp/FQDN.SERVER.NAME

Execute on dc.domain.com:

C:\Program Files\Support Tools>setspn.exe -A xmpp/SRV.DOMAIN.COM xmpp-openfire

Registering ServicePrincipalNames for CN=xmpp-openfire,CN=Users,DC=domain,DC=com

** xmpp/SRV.DOMAIN.COM**

Updated object

Create xmpp.keytab:

C:\Program Files\Support Tools>ktpass -princ xmpp/srv.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

Targeting domain controller: dc.domain.com

Using legacy password setting method

Successfully mapped xmpp/srv.domain.com to xmpp-openfire.

Type the password for xmpp/srv.domain.com:

Type the password again to confirm:

Key created.

Output keytab to xmpp.keytab:

Keytab version: 0x502

keysize 96 xmpp/srv.domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 11 etype 0x17 (RC4-HMAC) keylength 16 (0x29dc6e19b0a64cbe33f3e6199c5d9542)

Test on Openfire server (krb5.ini set in c:\windows):

C:\Program Files\Openfire\jre\bin>kinit -k -t xmpp.keytab xmpp/SRV.DOMAIN.COM

Exception: invalid Principal name: xmpp/SRV.DOMAIN>COM Could not load configuration file \krb5.ini

java.lang.IllegalArgumentException: invalid Principal name: xmpp/SRV.DOMAIN.COM Could not load configuration file \krb5.ini

** at sun.security.krb5.internal.tools.KinitOptions.(Unknown Source)**

** at sun.security.krb5.internal.tools.Kinit.(Unknown Source)**

** at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)**

Moving krb5.ini into c:\ and try again:

C:\Program Files\Openfire\jre\bin>kinit -k -t xmpp.keytab xmpp/SRV.DOMAIN.COM

New ticket is stored in cache file C:\Users\adm\krb5cc_adm

Copy xmpp.keytab into c:\of_conf, restart server and try connect to server

SSO not worked. Situation not changed, error logs not changed.


Here is a document that I wrote up a few months ago. Let me know if you have any questions.

http://community.igniterealtime.org/docs/DOC-2585

Thanx to all. SSO is work.

Thanx speedy for helpful answer, but not only this is right. I’am use more different helps from internet. Openfire community very need usable SSO wiki , perhaps I’am make it later.

Can you put how did you solved, cause i have the same problem.

some docs was done, but only russian language

on holidays i’m try translate and reply for you (and other)… be patient.

thanks Eugente, I’m patitent,jmm but how many holidays left?, thanks

or sendme the russian docs and i google translate it

what problem are you having?

Excuse me, I need for the project was not the actual first and postponing promised I left the next day, but eventually forgot all about it. The document is not finished yet, but I think the hardest thing it describes. Where do I send you the file?

thanks Eugene, you cand send it to juegosdexbox360@gmail.com