Sso + ad

salvatore.borrelli · October 11, 2007, 9:41am

this is my situation

openfire runnin on linux ubuntu. (started by root user)
KDC server running on windows 2000 server named teldc01.DOMINIO.INT

this is the gss.conf

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=<b>true</b>
keyTab="/opt/openfire/resources/feapache01.keytab"
doNotPrompt=<b>true</b>
useKeyTab=<b>true</b>
realm="DOMINIO.INT"
principal="xmpp/feapache01.dominio.int@DOMINIO.INT"
debug=<b>true</b>;
};

in openfire.xm i have added

<!-- sasl configuration -->
<sasl>
    <!-- Include a comma-separated list of the authentication mechanisms
        to advertise support <b>for</b> to clients. Make sure GSSAPI is listed,
        and best <b>if</b> it's listed first. The order of mechanisms is important;
        clients should <b>try</b> to use the first mechanism they support
        (although not all will). Some clients will <b>try</b> to use the most
        secure first.         You can add other mechanisms in order to support non-GSSAPI clients,
        or clients who cannot authenticate to the realm (like Windows 9X,
        off-site, and so on). Keep in mind that by allowing other mechanisms
        you are compromising the security of your realm. Be sure to talk
        to the Security Officer/Directory/Manager/Administrator about any
        policies your organization might have before enabling less secure
        mechanisms. By removing PLAIN and ANONYMOUS from the list, you will
        also disable non-SASL authentications.         Keep in mind that a mechanism listed here might not actually be
        advertised, such as when the authProvider can't support the mechanism.
        PLAIN and ANONYMOUS mechanisms also enable non-SASL authentication
        (the old style XMPP auth), so removing them from <b>this</b> list will
        disallow non-SASL authentication. -->
    <mechs>GSSAPI</mechs>
    <!-- <mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->     <!-- Specify the realm you used when you created the service principal
        and keytab.-->
    <realm>DOMINIO.INT</realm>     <!-- Mechanism-specific configuration here -->
    <gssapi>         <!-- Use <b>true</b> to turn on debugging information. This adds a lot
            of noise to your log files, but it can help you spot problems
            sooner in the initial setup. -->
        <debug>true</debug>         <!-- Specify the location of the GSSAPI configuration file you edited. -->
        <config>/opt/openfire/conf/gss.conf</config>         <!-- Sets the system property with the same name. You'll probably want
            "false" here (the <b>default</b>). For more details, see
            [http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html] -->
        <useSubjectCredsOnly>false</useSubjectCredsOnly>
    </gssapi>
</sasl> <provider>
    <vcard>
      <className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className>
    </vcard>
    <user>
      <className>org.jivesoftware.openfire.ldap.LdapUserProvider</className>
    </user>
    <auth>
      <className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className>
    </auth>
    <group>
      <className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className>
    </group>
<authorization>
        <classList>org.jivesoftware.openfire.sasl.LazyAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider</classList>
        <!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy-->
    </authorization>
  </provider>

if try a kinit of user root it seems to work

klist output

root@FeApache01:/opt/openfire/conf# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@DOMINIO.INT Valid starting     Expires            Service principal
10/10/07 17:15:08  10/11/07 03:15:01  krbtgt/DOMINIO.INT@DOMINIO.INT renew until 10/11/07 17:15:08 Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

i’ve created the keylist using

ktpass -princ xmpp/feapache01.dominio.int@DOMINIO.INT -mapuser root -pass PASSWORD -out feapache01.keytab

on the AD server running as a DomainAdmins (i have created a user named root yet on the AD domain)

when i try to use spark i’ve the errore message

“unable to connect using Single Sign-On. Please check your principal and server settings”

any suggestion??

p.s.

sorry for my english

Jay · October 11, 2007, 1:54pm

What version of Openfire? What you have listed for the authorization provider may not be correct. Read SSO Configuration and make sure you use the correct provider. Recent versions require using org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy . If you are using an older version or a nightly build it is different.

Also, do you see any errors in your openfire logs?

salvatore.borrelli · October 11, 2007, 2:43pm

Openfire

3.3.3…i have changed the provider but nothing change.

help

salvatore.borrelli · November 5, 2007, 8:08am

no one??

please help me

Jay · November 8, 2007, 3:06pm

Are you getting any errors in your log files?

Jason_Streit · November 8, 2007, 3:36pm

make sure you do the registry change on both the server and client pc…

On Windows 2003 and Windows 2004 SP4 and later:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberosParameters

Value Name: allowtgtsessionkey

Value Type: REG_DWORD

Value: 0x01 ( default is 0 )

On Windows XP SP2 and later:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberos

Value Name: allowtgtsessionkey

Value Type: REG_DWORD

Value: 0x01

also make sure you have the krb5.ini file in the windows directory on both the server and the client pc.

Jay · November 8, 2007, 3:40pm

The registry change is only needed for the client, not the server. As I mentioned in another discussion, if you wish to use Spark on the server to test things, then you will need to make the registry change on the server (but only because it is acting in the capacity of a client)

Jason_Streit · November 8, 2007, 3:42pm

it seemed to help my case… but maybe it was just placebo effect.

salvatore.borrelli · November 8, 2007, 3:45pm

this is my error log

2007.11.08 17:07:21 org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandle r.java:134) Closing connection due to error while processing message:

java.util.NoSuchElementException

at java.util.StringTokenizer.nextToken(StringTokenizer.java:332)

at org.jivesoftware.openfire.net.SASLAuthentication.doPlainAuthentication(SASLAuth entication.java:442)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :202)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:176)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)

at java.lang.Thread.run(Thread.java:619)

reg change are yet make

salvatore.borrelli · November 13, 2007, 7:04am

no one can help me?

Jay · November 13, 2007, 3:54pm

Do you have any errors in the log files in Spark?

NO_MESSAGES_OR_FRIEN · November 13, 2007, 4:03pm

Maybe try expanding your authentication mechs. You currently have:

<mechs>GSSAPI</mechs> Try moe options, like:

<mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL</mechs>

NO_MESSAGES_OR_FRIEN · November 13, 2007, 4:05pm

There could also be an error with the keytab file you generated. Do you have the user “root” in your domain? You should probably create a user specific for this task in the domain. Then recreate the keytab.

Jay · November 13, 2007, 4:17pm

Adding the other options will allow logins to work, but it wont fix the SSO issues. In fact, it can make it a little harder to figure out what is going on since a login might succeed and you dont know how it happened without looking at the logs. I guess it depends on the priorities- if you need to have logins working then yes, enable PLAIN and/or the others

salvatore.borrelli · November 19, 2007, 8:29am

nothing change with new mechs tag. The keytab?? what’s the exact procedure to do??

tnx

NO_MESSAGES_OR_FRIEN · November 19, 2007, 1:55pm

I was looking at your keytab config, and it shows that you used the username root in its creation. Is root a valid user in your Domain. You need create the keytab using a Domain account. i created a new domain account specifically for this task.

The other possibility is that the Openfire server is not listed in you Domain DNS correctly.

salvatore.borrelli · November 19, 2007, 3:26pm

the user root exist on my AD domain and the dns is ok