Openfire with Single Sign ON on Linux in Windows environment

Hi,

i’ve set up an Openfire 3.4.4 Server on a Linux machine, the authentication is over Active Directory, the database with the rest is mysql.

So now i tried to setup SSO following http://wiki.igniterealtime.org/display/WILDFIRE/Configuring+Openfire+for+Kerbero s this Document.

And here the trouble begins:

1. Kerberos Config

The example says:

ktpass -princ xmpp/zeus.example.com@EXAMPLE.COM -mapuser xmpp-zeus.example.com -pass password -out jabber.keytab

• Ok: let’s say my server is named sbyblablub.bla.company.com

• a CNAME named jabber.bla.company.com points to the one above

• username in ad is: blajabber

so how must be the ktpass line?

ktpass -princ blajabber/jabber.bla.company.com@BLA.COMPANY.COM -mapusers blajabber -pass password -out jabber.keytab

i think it should be correct, but i’m absolutely not sure about what comes before the ‘/’

2. Openfire Config

i configured openfire as described in the document. But i’m not sure about some things:

• where do i have to put the the sasl part

• where do i have to put the the authorization part

what i did:

<provider>

• <authorization>+

•  <classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</cl assList>+
  

• </authorization>+

• <vcard>+

•  <className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className >+
  

• </vcard>+

• <user>+

•  <className>org.jivesoftware.openfire.ldap.LdapUserProvider</className& gt;+
  

• </user>+

• <auth>+

•  <className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className& gt;+
  

• </auth>+

• <group>+

•  <className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className >+
  

• </group>+

• </provider>+

And put the sasl block just before.

So the questions are:

• is that right?

• how can i check if the server provides the new authentication method

is it necessary that the debug log shows: JettyLog: Ignoring extra content {}

i hope you have some ideas

p.s sorry for the english

The trouble begins with the fact that Openfire does not honor CNAME. It needs to be named the same as the a record or AD bind name of the machine.

1. it needs to be xmpp/sbyblablub.bla.company.com

2. sasl goes before the database section. your authorization edits should be ok where they are.

you mean the

xmpp.domain value hast not to be jabber.bla.company.com, so it hast so be sbyblablub.bla.company.com?

i’ve moved the sasl befoe the the section and restarted.

do you know how i can check if the server provides the sasl auth to the client?

I have tried on several servers to get SSO to work with CNAME but with no luck. I have always had to use the FQDN of the server asa it is bound to AD. Short of trying to login via SSO I do not know of another test.

Hi,i changed a lot of things, moved accoounts to test environment etc.So now, the kinit and klist on the machine where openfire runs on show the expected output.Clienst also get their tgt and so on.As you could imagine, sso doesn’t work, i get the foloowing eror (warn):

2008.02.28 11:04:56 SaslException

•           javax.security.sasl.SaslException:
  

GSS initiate failed [Caused by GSSException: Failure unspecified at

GSS-API level (Mechanism level: Invalid argument (400) - Cannot find

key of appropriate type to decrypt AP REP - DES CBC mode with MD5)]+

•           at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java :159)+
  

•           at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :229)+
  

•           at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)+
  

•           at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)+
  

•           at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)+
  

•           at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)+
  

•           at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)+
  

•           at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)+
  

•           at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)+
  

•           at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:173)+
  

•           at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)+
  

•           at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)+
  

•           at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)+
  

•           at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)+
  

•           at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)+
  

•           at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 650)+
  

•           at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675) +
  

•           at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51) +
  

•           at java.lang.Thread.run(Thread.java:595)+
  

•           Caused
  

by: GSSException: Failure unspecified at GSS-API level (Mechanism

level: Invalid argument (400) - Cannot find key of appropriate type to

decrypt AP REP - DES CBC mode with MD5)+

•           at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)+
  

•           at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)+
  

•           at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)+
  

•           at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java :137)+
  

•           ... 18 more+
  

•           Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5+
  

•           at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)+
  

•           at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)+
  

•           at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.jav a:79)+
  

•           at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)+
  

•           ... 21 more+
  

I created the keytab with a command like the following:<code>ktpass -princ xmpp/jabber.test-domain.local@TEST-DOMAIN.LOCAL -pass password -mapuser xmpp-openfire -out xmpp.keytab -ptype KRB5_NT_PRINCIPAL</code>When i use kinit, i have to type a password? could this be a problem caus the server does’nt do that?Or is it only that i’ve created the keytab wrong or the config or…I’m also not sure about that config:

+<provider>     <authorization> *<classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList>*     </authorization>      <vcard>       <className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className>     </vcard>      <user>       <className>org.jivesoftware.openfire.ldap.LdapUserProvider</className>     </user>      <auth>       <className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className>     </auth>      <group>       <className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className>     </group>   </provider>+

The bold i what i’ve addedin [http://wiki.igniterealtime.org/display/WILDFIRE/Configuring+Openfire+for+Kerbero s] there are different types of the line described:

The Lazy provider has a different name in the different versions of Openfire, as the logic changes.

Openfire Versions

Provider Names

3.3.0 and prior

LazyAuthorizationProvider

3.3.1 and later

LooseAuthorizationProvider

I’m running 3.4.4 so what’s to choose here?I hope you have some ideas !http://www.igniterealtime.org/community/images/emoticons/wink.gif!

edit:

by the way i searched through the java doc for the gss.conf file:

From the Docu:

storeKey=true useTicketCache = true doNotPrompt=true;;

This is an illegal combination since <code>storeKey</code> is set to

true but the key can not be obtained either by prompting the user or from

the keytab.A configuratin error will occur.

keyTab = < filename > doNotPrompt=true ;

This is an illegal combination since useKeyTab is not set to true and

the keyTab is set. A configuration error will occur.

so that’s an conflict or?

ok i solved the problem:

i changed the keytype to des-md5, the standard rc4 could not be handled from java without modification

for DES add to the command line a -crypto DES-CBC-MD5

that’s it