powered by Jive Software

Openfire SSO

Hi All,

I would like to setup Openfire/SPARK with SSO and it doesn’t work for me. I spend more than 20 hours diagnosing problems. Some solved, but know I need help.

My Environment:

Windows Server 2012 as Domain Controller (openfiredc.mc.gov.pl)

Windows 10 system connected to domain with SPARK 2.8.0 as xmpp client

Debian Jessie 8.5 as Openfire server (openfire.mc.gov.pl)

root@openfire:/usr/local# java -version

java version “1.8.0_101”

Java™ SE Runtime Environment (build 1.8.0_101-b13)

Java HotSpot™ 64-Bit Server VM (build 25.101-b13, mixed mode)

All systems synchronized with NTP

Forward and Reverse DNS configured including _kerberos and _xmpp SRV records

I think I’ve done everything according to SSO Configuration

Openfire Configuration:

/etc/krb5.conf:

[libdefaults]

default_realm = MC.GOV.PL

[realms]

MC.GOV.PL = {

kdc = openfiredc.mc.gov.pl

admin_server = openfiredc.mc.gov.pl

default_domain = mc.gov.pl

}

[domain_realm]

.mc.gov.pl = MC.GOV.PL

mc.gov.pl = MC.GOV.PL

Created XMPP SPN, mapping and keytab according to DOC-1060. Verification on Openfire server:

root@openfire:/usr/local# kinit -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfire.mc.gov.pl@MC.GOV.PL -V

Using default cache: /tmp/krb5cc_0

Using principal: xmpp/openfire.mc.gov.pl@MC.GOV.PL

Using keytab: /usr/share/openfire/resources/xmpp.keytab

Authenticated to Kerberos v5

gss.conf file:

root@openfire:/usr/local# cat /etc/openfire/gss.conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab="/usr/share/openfire/resources/xmpp.keytab"

doNotPrompt=true

useKeyTab=true

realm=“MC.GOV.PL

principal="xmpp/openfire.mc.gov.pl@MC.GOV.PL"

isInitiator=false

debug=true;

};

SASL configuration added to openfire.x

GSSAPI

MC.GOV.PL

true

/etc/openfire/gss.conf

false

SPARK client configuration:

Registry modified according to DOC-1060

SSO use krb5.ini

Problem Description:

SPARK starts xmpp conversation

stream:stream xmlns=‘jabber:client’ to=‘mc.gov.pl’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’ from=‘Administrator@mc.gov.pl’ xml:lang=‘en’>

Openfire Server answers:

<?xml version='1.0' encoding='UTF-8'?>

stream:featuresGSSAPI</mechani sms>zlib</stream:features>

SPARK sends TGS-REQ for krbtgt@MC.GOV.PL (MC.GOV.PL) and receives ticket TGS-REP

SPARK sends TGS-REQ for xmpp@openfire.mc.gov.pl (MC.GOV.PL) and receives ticket TGS-REP

SPARK sends xmpp message to Openfire Server:

<stream:stream xmlns=‘jabber:client’ to=‘mc.gov.pl’ xmlns:stream=‘http://etherx.jabber.org/streams’ version=‘1.0’ from=‘Administrator@mc.gov.pl’ xml:lang=‘en’>

YIIFRgYJKoZIhvcSAQICAQBuggU1MIIFMaADAgEFoQMCAQ6iBwMFACAAAACj ggRXYYIEUzCCBE+gAwIBBaELGwlNQy5HT1YuUEyiJTAjoAM

CAQChHDAaGwR4bXBwGxJvcGVuZmlyZS5tYy5nb3YucGyjggQSMIIEDqADAgEXoQMCAQWiggQABIID/MZ 6nikvfX9DDiF9hmxK1IiQEtFVQLvjRIBIiEY2W8BMjd24sVIbdig0fGAimw1diRuYvL6iX6caBrug==< /auth>

And this is the moment where Openfire has problem

Openfire sends answer to SPARK

<?xml version='1.0' encoding='UTF-8'?>GSSAPIzlib

In logs I can see only

2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 5

Queue : [MESSAGE_RECEIVED, ]

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 5

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 5

2016.09.17 21:03:02 INFO [socket_c2s-thread-3]: org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.ssl.SslFilter - Session Server5: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=77 cap=128: 3C 66 61 69 6C 75 72 65 20 78 6D 6C 6E 73 3D 22…]

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 5

2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 5

Queue : [MESSAGE_SENT, ]

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 5

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 5

Please Help, I have no idea what is wrong.

Regards Adam

With 2.8.0 this is important SSO (Single Sign On) configuration changes since Spark 2.8.0

Also, this looks like a more up to date manual How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2