Openfire SSO Ubuntu guide

ilyaHlevnoy · June 23, 2020, 7:20am

Hi, community.
The guide below shows how to configure SSO Kerberos with Ubuntu Server 16.04 and 18.04.
Java version no higher than Java 8 update 221 and Java 11.0.4. in latest java versions my SSO doesn’t work

srvdca3.domain.local-------|AD DC + DNS|
srv-chat.domain.local-------|Openfire server 4.5.2|

Create a domain user openfire *
1.1.Set it: User cannot change password Password never expires ** Do not require Kerberos preauthentication *
1.2 On any DC, open CMD under the admin and run this command.

setspn -A xmpp/srv-chat.domain.local@DOMAIN.LOCAL **openfire**

Where: srv-chat.domain.local - full name your server Ubuntu with Openfire, @DOMAIN.LOCAL - your domain, openfire - your domain user(step 1,with which authorization through Kerberos (SSO) will work)
1.3 in CMD run this command and save file openfire.keytab in drive C.

ktpass /princ xmpp/srv-chat.domain.local@DOMAIN.LOCAL /mapuser openfire@domain.local /pass * /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /out c:\openfire.keytab

Openfire user attributes will change

servicePrincipalName – xmpp/srv-chat.domain.local
userPrincipalName – xmpp/srv-chat.domain.local@DOMAIN.LOCAL

2.Preparing an Openfire Server
2.1 install Openfire server
2.2 Copy openfire.keytab(step 1.3) to /usr/share/openfire/resources/
2.3 Create the file /etc/openfire/gss.conf

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/usr/share/openfire/resources/openfire.keytab"
doNotPrompt=true
useKeyTab=true
realm="DOMAIN.LOCAL"
principal="xmpp/srv-chat.domain.local@DOMAIN.LOCAL"
debug=false;
};

2.4 Create a Kerberos configuration file and save it as krb5.ini to /etc/krb5.conf

[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = /usr/share/openfire/resources/openfire.keytab
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]
DOMAIN.LOCAL = {
kdc = srvdc3.domain.local
kdc = srvdca1.domain.local
admin_server = srvdc3.domain.local
default_domain = domain.local
}

[domain_realms]
domain.com = DOMAIN.LOCAL
.domain.com = DOMAIN.LOCAL

To check the ticket, you can use the following commands:

kinit -V -k -t /usr/share/openfire/resources/openfire.keytab xmpp/srv-chat.domain.local@DOMAIN.LOCAL
 klist -ek  /usr/share/openfire/resources/openfire.keytab

3.Openfire Preparation
3.1 go to http://srv-chat.domain.local:9090
3.2. We write our domain controller and any domain user (without administrative rights, I have this user “testuser”)
Server
–Server Settings
—Profile Settings
----LDAP Settings
Host:srvdca3.domain.local Port:389
Administrator DN: domain\testuser
3.3 Go to
-Server
–System Properties
and change this parametrs and save:

|Property Name|Property Value|
|---|---|
|authorization.classList|org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy|
|sasl.gssapi.config|/etc/openfire/gss.conf|
|sasl.gssapi.debug|true|
|sasl.gssapi.useSubjectCredsOnly|False|
|sasl.mechs.00002|PLAIN|
|sasl.mechs.00008|GSSAPI|
|sasl.realm|DOMAIN.LOCAL|
|xmpp.fqdn|srv-chat.domain.local|

3.4 Reboot your Openfire service and reboot Ubuntu server.

4.Client Windows preparation(Spark 2.8.3)
4.1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

4.2 install Spark 2.8.3
4.3 Open Spark -> Advanced button -> SSO tab -> enable Use Single Sign-On (SSO) via GSSAPI
4.4 And write your server Openfire and click on “Logon”

mauriciosti · June 23, 2020, 2:16pm

What is these two servers??

ilyaHlevnoy · June 23, 2020, 2:30pm

I have two domain controllers, but only one can be specified.

[realms]
DOMAIN.LOCAL = {
kdc = srvdc3.domain.local
admin_server = srvdc3.domain.local
default_domain = domain.local
}

mauriciosti · June 23, 2020, 3:50pm

Do my chat server be logged in my AD??

ilyaHlevnoy · June 23, 2020, 5:44pm

Yes, you need to enter the Ubuntu server in the domain.

mauriciosti · June 23, 2020, 5:46pm

Ok, im trying installing java 8 221, but no success until now.

ilyaHlevnoy · June 23, 2020, 7:05pm

here is the Java I installed, and I turned off Java auto-update.
This java for ubuntu 16.04

dpkg -i openjdk-8-jre-headless_8u222-b10-1ubuntu1_16.04.1_amd64.deb

sudo apt-mark hold openjdk-8-jdk

openjdk-8-jre-headless_8u222-b10-1ubuntu1_16.04.1_amd64.deb (25.9 МБ)

mauriciosti · June 23, 2020, 7:59pm

So, in clients machine, windows 7 has to be outdated java??

ilyaHlevnoy · June 23, 2020, 8:14pm

No, you can install any version of Java on clients. for example, you can use Spark 2.8.3 with integrated Java. But on servers that would work SSO need to use Java no higher than version 8 update 221.

mauriciosti · June 23, 2020, 8:42pm

Ok, finished installation, but doenst work for me.

I’m getting this error, krb5-kdc.service: Can’t open PID file /var/run/krb5-kdc.pid

ilyaHlevnoy · June 24, 2020, 10:52am

hmm, I don’t have Kerberos KDC Server on any of my ubuntu servers.
i think you need delete Kerberos KDC Server and install krb5-user.

And also you need to look in the admin panel Openfire if you have all authorization mechanisms (SASL) enabled

sudo apt-get install krb5-user

mauriciosti · June 24, 2020, 5:11pm

Removed the KDC Server, and put only kdcuser.
Also enabled alls SASL.

But still dont work.

mauriciosti · June 24, 2020, 6:34pm

ilyaHlevnoy · June 24, 2020, 8:05pm

To check whether GSSAPI(SSO) works or not, you need to enter the command in your Ubuntu server:
Point 2.4 from my guide

kinit -V -k -t /usr/share/openfire/resources/openfire.keytab xmpp/srv-chat.domain.local@DOMAIN.LOCAL

If everything works correctly, a record should appear:
Authenticated to Kerberos v5
Look at my two screenshots from two Openfire servers (First server on Ubuntu 16.04 and second server on Ubuntu 18.04)

mauriciosti · June 24, 2020, 8:11pm

Yeap, the same here. But Spark cant conect.

Spark config

mauriciosti · June 24, 2020, 8:17pm

Ok dude, its working on others SO like Windows Server and Windows 10 but, in windows 7 its not working.

ilyaHlevnoy · June 24, 2020, 9:12pm

My company uses only Windows 10, but we implemented SSO even when we had computers with Windows 7 and Windows 8.1.
Give me time, tomorrow I will install a virtual machine on Windows 7.
By the way, try putting the krb5.conf file in C: \ Windows and reboot computer .
And also make sure that every Windows client has this registry entry from point 4.1, it is very important :
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Lsa \ Kerberos \ Parameters

Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

ilyaHlevnoy · June 25, 2020, 10:02am

hmm, I have SSO running on Windows 7.
And without the krb5.conf file.
I just added a reg entry from point 4.1
Do you use the latest version of Spark 2.8.3?
Screenshot_508

speedy · June 25, 2020, 11:22am

@ilyaHlevnoy great guide!

for addtional references

mauriciosti · June 25, 2020, 1:54pm

Yes, im using the latest. I have already change the reg. I will try again.