Hi all,
I installed Openfire 3.6.4 on Windows Server 2008 R2 with MySQL, authenticating against an Active Directory domain at the Windows Server 2008 functional level. Everything is working fine except for (I suspect) authorization, since it appears Kerberos authentication is operating correctly. Interestingly though, PLAIN auth works fine.
Our AD domain name is (slightly redacted): corp.domain.net
Our xmpp.domain is: domain.net
The FQDN of the Openfire server is: xmpp.domain.net
C:\>nslookup xmpp.domain.net
Server: UnKnown
Address: 10.1.1.1 Non-authoritative answer:
Name: xmpp.domain.net
Address: 204.93.XXX.XXX C:\>nslookup 204.93.XXX.XXX
Server: UnKnown
Address: 10.1.1.1 Name: xmpp.domain.net
Address: 204.93.XXX.XXX
We are using Pidgin 2.7.4 on Windows 7 on the client side. Kerberos for Windows 3.2.2 is installed.
On both the server and the clients, the contents of our C:\WINDOWS\krb5.ini is:
[libdefaults]
default_realm = CORP.DOMAIN.NET
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
CORP.DOMAIN.NET = {
kdc = corp.domain.net
admin_server = corp.domain.net
default_domain = corp.domain.net
}
[domain_realms]
corp.domain.net = CORP.DOMAIN.NET
.corp.domain.net = CORP.DOMAIN.NET
.domain.net = CORP.DOMAIN.NET
[libdefaults]
default_realm = CORP.DOMAIN.NET
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac [realms]
CORP.DOMAIN.NET = {
kdc = corp.domain.net
admin_server = corp.domain.net
default_domain = corp.domain.net
} [domain_realms]
corp.domain.net = CORP.DOMAIN.NET
.corp.domain.net = CORP.DOMAIN.NET
domain.net = CORP.DOMAIN.NET
.domain.net = CORP.DOMAIN.NET
The Kerberos principal name is xmpp/xmpp.domain.net and it is mapped to a user called openfire-krb in Active Directory.
C:\>setspn -L openfire-krb
Registered ServicePrincipalNames for CN=Openfire Server (Kerberos),OU=Service Ac
counts,OU=Administrative,OU=Organizations,DC=corp,DC=domain,DC=net:
xmpp/xmpp.domain.net@CORP.DOMAIN.NET
When I attempt to login with a blank password in Pidgin (which implicitly tries GSSAPI if it is available), I see valid tickets appear in KfW Network Identity Manager for the following service names:
xmpp/xmpp.domain.net@
xmpp/xmpp.domain.net@CORP.DOMAIN.NET
I also turned off SSL on the Openfire server and dumped the line level traffic, but didn’t find any problems. I’m showing just L7 data below, obviously, and I redacted the GSSAPI string… but if it is needed I can PM it. I did examine it though at a cursory level; it appeared to send the correct principal name, realm etc. I didn’t verify it was sending the right ticket because I didn’t have a tool to fully decode it.
Client:64696 -> Server:5222 <?xml version='1.0' ?>
<stream:stream to='domain.net' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'> Server:5222 -> Client:64696 <?xml version='1.0' encoding='UTF-8'?>
<stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.net" id="d36f9b4f" xml:lang="en" version="1.0">
<stream:features>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>
GSSAPI
</mechanism>
<compression xmlns="http://jabber.org/features/compress">
<method>
zlib
</method>
</compression>
<auth xmlns="http://jabber.org/features/iq-auth"/>
</stream:features> Client:64696 -> Server:5222
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='GSSAPI' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'>
YIIF+AY###REDACTED###qNr
</auth> Server:5222 -> Client:64696
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<not-authorized/>
</failure>
Meanwhile, the following is outputted to the server console indicating no errors… in fact, indicating success. I zero’d out the encryption key below:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files (x86)/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/xmpp.domain.net@CORP.DOMAIN.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/xmpp.domain.net@CORP.DOMAIN.NET
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Added server's keyKerberos Principal xmpp/xmpp.domain.net@CORP.DOMAIN.NETKey Version 6key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [Krb5LoginModule] added Krb5Principal xmpp/xmpp.domain.net@CORP.DOMAIN.NET to Subject
Commit Succeeded
Also meanwhile, the Openfire server had a successful AS-REQ/AS-REP exchange:
Openfire Server:50000 -> ADC:88 Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000000
Client Name (Principal): xmpp/xmpp.domain.net
Name-type: Principal (1)
Name: xmpp
Name: xmpp.domain.net
Realm: CORP.DOMAIN.NET
Server Name (Service and Instance): krbtgt/CORP.DOMAIN.NET
Name-type: Service and Instance (2)
Name: krbtgt
Name: CORP.DOMAIN.NET
till: 1970-01-01 00:00:00 (UTC)
Nonce: 1287650748
Encryption Types: rc4-hmac
Encryption type: rc4-hmac (23) ADC:88 -> Openfire Server:50000 Pvno: 5
MSG Type: AS-REP (11)
Client Realm: CORP.DOMAIN.NET
Client Name (Principal): xmpp/xmpp.domain.net
Name-type: Principal (1)
Name: xmpp
Name: xmpp.domain.net
Ticket
Tkt-vno: 5
Realm: CORP.DOMAIN.NET
Server Name (Service and Instance): krbtgt/CORP.DOMAIN.NET
Name-type: Service and Instance (2)
Name: krbtgt
Name: CORP.DOMAIN.NET
enc-part aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
Kvno: 2
enc-part: ###REDACTED###
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 6
enc-part: ###REDACTED###
Finally, Openfire wrote pretty much nothing to any of the logs (even with the debug log enabled), except for the following to the Info log:
2010.10.21 04:01:49 User Login Failed. Failure to initialize security context
To round things off, here are the relevant server properties that I know of in Openfire:
xmpp.domain: domain.net
xmpp.fqdn: xmpp.domain.net
sasl.realm: CORP.DOMAIN.NET
sasl.mechs: GSSAPI
sasl.gssapi.useSubjectCredsOnly: false
sasl.gssapi.debug: true
sasl.gssapi.config: C:\Program Files (x86)\Openfire\conf\gss.conf
And my gss.conf file:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files (x86)/Openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="CORP.DOMAIN.NET"
principal="xmpp/xmpp.domain.net@CORP.DOMAIN.NET"
debug=true;
};
And finally, here’s what I ran to create the SPN and the keytab:
C:\>setspn -A xmpp/xmpp.domain.net@CORP.DOMAIN.NET openfire-krb
Registering ServicePrincipalNames for CN=Openfire Server (Kerberos),OU=Service Accounts,OU=Administrative,OU=Organizations,DC=corp,DC=domain,DC=net
xmpp/xmpp.domain.net@CORP.DOMAIN.NET
Updated object C:\>ktpass -princ xmpp/xmpp.domain.net@CORP.DOMAIN.NET -pass * -mapuser openfire-krb@corp.domain.net -out xmpp.keytab -ptype KRB5_NT_PRINCIPAL -crypto rc4-hmac-nt Targeting domain controller: CHI-ADC-P-03.corp.domain.net
Successfully mapped xmpp/xmpp.domain.net to openfire-krb.
Type the password for xmpp/xmpp.domain.net:
Type the password again to confirm:
Password succesfully set!
Key created.
Output keytab to xmpp.keytab:
Keytab version: 0x502
keysize 79 xmpp/xmpp.domain.net@CORP.DOMAIN.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 6 etype 0x17 (RC4-HMAC) keylength 16 (###REDACTED###)
So… I’m pretty much at a loss.
From my vantage point, the evidence points to a bug in the Openfire authorization logic, but who knows…
Thanks!
Joe