powered by Jive Software

Spark 2.5.3.beta1+Openfire 3.3.1+AD SSO

Yes, it does work. Its a bit of a PITA right now, though. Ill write up what you need to do here, but please keep in mind I personally dont have time to go one on one with people to fix their problems. For that reason, if you understand how all this works, please try to help out others. Support is still very beta, so if it dosnt work for you, please describe your setup as completely as possible (in a separate post, please) with complete error messages, including turning on debugging everywhere.

And before we get flooded with suggestions to automate all this, we are planning on doing that. Its just a matter of implementation time and working out a few kinks along the way. There are lots of hard-coded things in this setup, which is not good. We are working on the correct solution, which can take some time.

Openfire Setup:

Note: You need to know what realm you belong to, and what your KDC is before starting this. You need to know the fully qualified domain name (fqdn) of the server openfire is running on. You will also need to have administrative access to AD.

First, install the “Support Tools”. These are on the install media, or can be downloaded:

Win2k3: http://support.microsoft.com/kb/892777

WinXP: http://www.microsoft.com/downloads/details.aspx?familyid=49ae8576-9bb9-4126-9761 -ba8011fabf38&displaylang=en

Create an AD user for openfire authentication. I named it xmpp-openfire. It dosnt need to be any special user, but Ive not played with the various restrictions that could be done to it. The user’'s password and account should never expire, because if they do openfire will stop authenticating users.

Next, you are going to create a “service principal” for openfire using the user you just created. The service principal will be:

xmpp/fqdn.of.openfire.server@YOUR.REALM

So the command you will run is this:

Ktpass princ xmpp/fqdn.of.openfire.server@YOUR.REALM mapuser xmpp-openfire -pass password -out openfire.keytab

This will create the file openfire.keytab (“the keytab”). This file is sensitive- with it an attacker could cause harm to your network, so treat it that way, and dont transfer it over the network without encryption. Place this file on the openfire server. I put it in C:\Program Files\Openfire\conf but actual location isnt too important (we will standardize a good location later)

You then need to make these changes to your openfire.xml:

path. Yes, it is the Unix style, Windows style will fail.

Next, create a new file in C:\Program Files\Openfire\config named gss.conf and put this in it:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab=“C:/Program Files/Openfire/conf/openfire.keytab” doNotPrompt=true useKeyTab=true realm=“YOUR.REALM” principal=“xmpp/fqdn.of.openfire.server@YOUR.REALM” debug=true ;

};

That file is 3 lines, by the way, and yes the slashes go the wrong way again.

Next, you need to get the openfire.bat from subversion (its not incuded in the release). You can download it here: http://www.igniterealtime.org/fisheye/browse/~raw,r=7872/svn-org/openfire/trunk/ src/bin/openfire.bat

Put this in C:\Program Files\Openfire\bin

You need to change the two lines that say "start “Openfire” “%JAVA_HOME%\bin\java” To start like this:

start “Openfire” “%JAVA_HOME%\bin\java” -Djava.security.krb5.kdc=your.ad.kdc.server -Djava.security.krb5.realm=YOUR.REALM

So all you really did was add two options that specify your KDC and your realm.

Then start openfire using that batch file.

Spark Setup:

You need to modify the registry to allow exporting the TGT for this to work. Modifying your registry is dangerous- if you dont know what you are doing, stop now and wait for more proper Spark support.

Depending on the OS, the setting is in a different location:

For Windows 2003 and Windows 2000 SP4:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: allowtgtsessionkey

Value Type: REG_DWORD

Value: 0x01 ( default is 0 )

Here is the location of the registry setting on Windows XP SP2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\

Value Name: allowtgtsessionkey

Value Type: REG_DWORD

Value: 0x01

Then, get the startup.bat file from subversion. You can download it from here: http://www.igniterealtime.org/fisheye/browse/~raw,r=8331/svn-org/spark/trunk/src /resources/startup.bat and put this in C:\Program Files\Spark\bin

You will need to make the same modifications as you made to the openfire.bat file.

Start Spark using this batch file.

When it opens up, assuming you dont have autologin enabled, click on the advanced button, go to the SSO tab, and click on “Use Single Sign-On” and put your server in the box. Click on OK, then click on login.

Good luck!

Thanks for taking the time to write such a clear explanation.

It’'s 5.30pm here so I will wait until next week to try this.

cheers

Steve