PKI with Openfire and IIS

I am running Sparkweb from IIS and also plan to deploy the regular Spark client to some of my user base. If I implement PKI on Openfire my Spark users should have no issues. I was wondering if anyone knows what will happen to my SparWeb users if they PKI thru IIS then try to connect to Openfire that also requires PKI? Currently Sparkweb can not PKI directly to Openfire.


Openfire can present multiple authentication options to the client, which the client will then choose the most preferred method. As long as Openfire is configured to allow authentication via EXTERNAL and some other password based scheme, such as PLAIN or whatever (that SparkWeb supports), both will function fine.

Lets break down all the parts:

Openfire server: Accepts connections via XMPP and HTTP. Either connection can use SSL/TLS for encryption, and can be configured to require/request a client certificate. Presence of a client certificate does NOT equate to authentication. The authentication happens with SASL, where Openfire will present the client with options such as PLAIN, CRAM-MD5, GSSAPI, EXTERNAL, etc. What it presents is configurable. Use of EXTERNAL requires a client certificate be presented.

Spark (or other “thick” client): Makes the connection via XMPP. Can provide a user certificate if configured to do so. Will use EXTERNAL authentication if Openfire advertises it and a client cert is used.

Web server: Where SparkWeb is downloaded from. Note: The only part IIS has to play here is when the user obtains a client.

SparkWeb: A flash application that makes a connection to the Openfire server via http. This runs on the user’s PC, not on IIS. When making http connections, the browser is used, so any requests from Openfire to use a client certificate will be dealt with by the browser, transparent from SparkWeb. SparkWeb does NOT know about the EXTERNAL authentication mechanism, so it will never use that option, and will use normal password based authentications.

This means you have a semi-PKI solution. The connection to Openfire from SparkWeb can be secured using PKI, but the authentication will not use it. At some point I hope to get a SparkWeb version that at least understands the EXTERNAL auth method so it can use it if told to.