Win2003 Server SP2 -> dc.domain.com
Win2012 R2 Datacenter Preview -> srv.domain.com (Openfire)
Win7 Pro -> app.domain.com (Spark)
use this manual and other.
My steps:
-
create on DC xmpp-openfire user, set password qwerty with options “Unable to change password”, “Password never expires” and “Does not require Kerberos Preauthentication”
-
for xmpp-openfire create Kerberos XMPP SPN on DC
setspn -A xmpp/srv.domain.com@DOMAIN.COM xmpp-openfire
- for xmpp-openfire create map Kerberos XMPP SPN on DC, set password qwerty
ktpass -princ xmpp/srv.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL
- create xmpp.keytab file on DC, set password qwerty
ktpass -princ xmpp/srv.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab
-
on srv.domain.com create folder \of_conf
-
xmpp.keytab copy to srv.domain.com in folder \of_conf
-
create file gss.conf in folder \of_conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
keyTab="C:/of_conf/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="DOMAIN.COM"
principal="xmpp/srv.domain.com@DOMAIN.COM"
debug=true;
};
- create file krb5.ini on app.domain.com, copy to root folder **c:**, else krb5.ini not located
[libdefaults]
default_realm = DOMAIN.COM
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]
DOMAIN.COM = {
kdc = dc.domain.com
admin_server = dc.domain.com
default_domain = domain.com
} [domain_realms]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
- change openfire.xml, inside tags
<!-- sasl configuration --> <sasl> <mechs>GSSAPI</mechs> <realm>DOMAIN.COM</realm> <gssapi> <debug>true</debug> <config>C:/of_conf/gss.conf</config> <useSubjectCredsOnly>false</useSubjectCredsOnly> </gssapi> </sasl>
<authorization> <classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList> </authorization>
- go to web browser htpp://srv.domain.com:9090
-
choose English
-
internal base
-
AD (LDAP)
-
server type Active Directory, host = dc.domain.com, BaseDN = dc=domain, dc=com, AdminDN (interested!) not dc=adm, dc=domain, dc=com, in my case dc=Eugene Smith, dc=domain, dc=com
-
add admin login adm
-
go to User/Groups and now see AD users
-
go to Server -> Server Manager -> System Properties add property xmpp.fqdn = srv.domain.com
-
set firewall rules srv.domain.com, add TPC and UDP with ports 5222, 5223, 5229, 7070, 7443, 9090, 9091
-
set regedit.exe parameter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1
and restart PC
-
Run Spark, setup options and set Use Single Sign-On (SSO) GSSAPI, save, checking This will use the Desktop Account for “***” to login to the server, *** = adm@DOMAIN.COM
-
type adm, server srv.domain.com and try
not work SSO. In Spark logs:
java.lang.IllegalStateException: Not connected to server.
at org.jivesoftware.smack.XMPPConnection.sendPacket(XMPPConnection.java:445)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:69)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:352)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
18.10.2013 9:07:35 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
java.lang.IllegalStateException: Not connected to server.
at org.jivesoftware.smack.XMPPConnection.sendPacket(XMPPConnection.java:445)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:69)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:362)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
on cmd Spark computer use
telnet srv.domain.com 5222
and server answer.
Spark Java
C:\Program Files (x86)\Spark\jre\bin>java -version
java version "1.6.0_18"
Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)
DNS configured on dc.domain.com
C:\Program Files\Windows Resource Kits\Tools>klist.exe tgt Cached TGT: ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: adm
DomainName: DOMAIN.LOCAL
TargetDomainName: DOMAIN.LOCAL
AltTargetDomainName: DOMAIN.LOCAL
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 7:00:00
StartTime: 10/18/2013 9:22:58
EndTime: 10/18/2013 19:22:58
RenewUntil: 10/25/2013 9:22:58
TimeSkew: 1/1/1601 7:00:00
PS:
set Spark debug and now see
srv.dimain.com
5222
2013.10.18 12:39:15 PM
Active
<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<iq id="UCx4u-0" type="get"><query xmlns="jabber:iq:auth"><username>adm</username></query></iq>
<presence id="UCx4u-1" type="unavailable"></presence>
<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<stream:stream to="srv" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
How fix???