SSO troubleshooting... again

Openfire Openfire Support
1

Hi all,

first of all I am new to Spark/Openfire, but have gotten myself quite familiar with the product over the last few days. I am currently doing a pilot installation where SSO is one of the main requirements. However I have, as many others, problems getting the SSO part to work.

The warn.log in Spark throws the following error:

20.feb.2014 10:12:04 org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication GSSAPI failed: not-authorized:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 337)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

The setup is as follows:

Domain controller: Windows Server 2008 SP2 in native mode (hostname: th-snd-vmdc01.th.local)

Openfire server: Windows Server 2008 R2 64 bit (hostname: th-snd-vmim01.th.local)

Client: Windows 7 64 bit

Domain: th.local

All servers have a dns record and a corresponding PTR.

This is what I have done:

  1. Created 2 AD-accounts: openfire and xmpp-openfire, one for ldap-lookups and one for keymapping

  2. SPN and keymapping:

setspn -A xmpp/th-snd-vmim01.th.local@TH.LOCAL xmpp-openfire

ktpass -princ xmpp/th-snd-vmim01.th.local@TH.LOCAL -mapuser xmpp-openfire -pass * -ptype KRB5_NT_PRINCIPAL

ktab -k xmpp.keytab -a th-snd-vmim01.th.local@TH.LOCAL

  1. I tested the key created above, and it returns nothing (which according to docs means everything is ok):

kinit -k -t xmpp.keytab th-snd-vmim01.th.local@TH.LOCAL “password”

  1. Copied xmpp.keytab to ~\Openfire\resources

  2. Created gss.conf in ~\Openfire\conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:\Program Files (x86)\Openfire\resources\xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“TH.LOCAL”

principal=“xmpp/th-snd-vmim01.th.local@TH.LOCAL”

debug=true;

};

  1. Added the following entries to the system properties:

sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf

sasl.gssapi.debug false

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm TH.LOCAL

xmpp.domain th-snd-vmim01.th.local

xmpp.fqdn th-snd-vmim01.th.local

  1. Created krb5.ini and added to Windows-directory on both server and client:

[libdefaults]

default_realm = TH.LOCAL

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]

TH.LOCAL = {

kdc = th-snd-vmdc01.th.local

admin_server = th-snd-vmdc01.th.local

default_domain = TH.LOCAL

}

[domain_realm]

.th.local = TH.LOCAL

th.local = TH.LOCAL

  1. Added regkey AllowTGTSessionKey (DWORD value 1) to HKLM\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters and both server and client

  2. Added group policy for kerberos encryption on both client and server, added all protocols.

Does anyone know what I am missing here?

Any input is highly appreciated,

Thanks

2

I managed to fix this myself after a few hours of struggling and moving the openfire server to a linux-based host. I will post my notes here shortly.

3

please post you notes when you can. :slight_smile:

4

Here is the complete list of tasks I performed to get SSO up and running. As mentioned I tried this first with Openfire installed on Windows Server 2008 R2, but gave up and moved to linux instead.

Here is my setup:

Openfireserver: openSuSE 13.1 32-bit, 2 GB RAM (th-snd-vmim01)

2 Domaincontrollers: Windows Server 2008 R2 (th-snd-dc01 and th-snd-vmdc01) - realm: th.local

Windows 7 Professional 64-bit clients

First create 2 users:

openfire - used for LDAP-queries, set password never expires

openfire-xmpp - used for SSO, set password never expires, enable “Do not require kerberos preauthentication” option - you find it under “account options” on the “Account” tab of the user account in AD.

  1. — Steps on Openfire-server part 1—

Install MySQL through Yast:

  1. start mysql

#/etc/init.d/mysql start

  1. Initial install:

#mysql_secure_installation

  1. Create db:

#mysql -p

mysql> create database openfiredb;

mysql> grant all privileges on openfiredb.* to openfire identified by ‘password’;

mysql> flush all privileges;

mysql> exit

Install samba-client from Yast:

Configure /etc/samba/smb.conf (here is a sample of my file):

[global]

workgroup = TH.LOCAL

realm = TH.LOCAL

security = ADS

encrypt passwords = true

dns proxy = no

socket options = TCP_NODELAY

kerberos method = secrets and keytab

winbind refresh tickets = yes

password server = th.local # I have 2 domain controllers, so entered the realm instead of just one host

domain master = no

local master = no

preferred master = no

os level = 0

domain logons = no

load printers = no

show add printer wizard = no

printcap name = /dev/null

disable spoolss = yes

Join server to domain:

#net ads join -U administrator@TH.LOCAL

administrator@TH.LOCAL’s password:

Using short domain name – TH

Joined ‘th-snd-vmim01’ to realm ‘TH.LOCAL’

Install Openfire:

#rpm -ivh openfire-3.9.1-1.i386.rpm

start openfire:

#/etc/init.d/openfire start

  1. — Steps on your workstation part 1—

Open a browser (i.e. Mozilla Firefox):

http://th-snd-vmim01:9090

  1. Choose language (default English)

  2. Type domain name: th-snd-vmim01.th.local

  3. Choose “Standard Database Conncection”

Pick preset MySQL

Replace [hostname] with localhost and [database-name] with openfiredb

Type Username: openfire

Type Password: password

Press “Continue”

  1. Profile, Step 1:

Choose “Directory Server (LDAP)”

Select Server Type: Active Directory

Type Host: th.local

Type Base DN: ou=MyBaseOU,dc=th,dc=local #could be just dc=th,dc=local to get the whole AD tree

Type Administrator DN(enter full path to the user you have created): cn=openfire,ou=ServiceAccounts,ou=Users,ou=MyBaseOU,dc=th,dc=local

Type Password: password (the password set for openfire user created earlier)

Save&Continue

  1. For steps 2 & 3 do nothing, just move on.

  2. Add Administrator account, it’s any account in your Base DN.

Type administrator login and press add.

If all successfully, then press “Continue”.

  1. Complete wizard and login to Openfire Admin Console as administrator user selected above.

Go to the User tab to verify that you are able to retrieve all user accounts.

  1. — Steps on Openfire-server part 2—

1.Create krb5.conf in /etc/:

[libdefaults]

default_realm = TH.LOCAL

[realms]

TH.LOCAL = {

kdc = th.local #since I have 2 domain controllers, I use the realm instead of the actual host

admin_server = th.local

default_domain = TH.LOCAL

}

[domain_realm]

.th.local = TH.LOCAL

th.local = TH.LOCAL

  1. Create gss.conf with the following content in /opt/openfire/conf:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab="/opt/openfire/resources/xmpp.keytab"

doNotPrompt=true

useKeyTab=true

realm=“TH.LOCAL”

principal=“xmpp/th-snd-vmim01.th.local@TH.LOCAL”

isInitiator=false

debug=true;

};

  1. Change ownership of gss.conf to the user running openfire, in my case daemon:

#chown daemon:daemon /opt/openfire/conf/gss.conf

  1. — Steps on domain controller —

If not already installed, install JRE, I installed version 6:

  1. Create SPN for the openfire-server:

C:>setspn -A xmpp/th-snd-vmim01.th.local@TH.LOCAL xmpp-openfire

  1. Map openfire-xmpp user to key (use the password you set for the user initially)

C:\Program Files\Java\jre6\bin>ktpass -princ xmpp/th-snd-vmim01.th.local@TH.LOCAL -mapuser xmpp-openfire@th.local -pass password -ptype KRB5_NT_PRINCIPAL

  1. Create the key-file to the location you want

C:\Program Files\Java\jre6\bin>ktpass -princ xmpp/th-snd-vmim01.th.local@TH.LOCAL -mapuser xmpp-openfire@th.local -pass password -ptype KRB5_NT_PRINCIPAL -out C:\xmpp.keytab

  1. Copy the keyfile to the openfire-server to the folder /opt/openfire/resources
  1. — Steps on Openfire-server part 3—
  1. Verify that kerberos works:

kinit -V administrator@TH.LOCAL

Using existing cache: :/run/user/0/krb5cc/tkthhLiBX

Using principal: administrator@TH.LOCAL

Password for administrator@TH.LOCAL:

Authenticated to Kerberos v5

  1. Verify key-file:

kinit -V -k -t /opt/openfire/resources/xmpp.keytab xmpp/th-snd-vmim01.th.local@TH.LOCAL

Using new cache: :/run/user/0/krb5cc/tktM60oB1

Using principal: xmpp/th-snd-vmim01.th.local@TH.LOCAL

Using keytab: xmpp.keytab

Authenticated to Kerberos v5

  1. — Steps on your workstation part 1—
  1. In Openfire console, set the following system properties:

sasl.gssapi.config /opt/openfire/conf/gss.conf

sasl.gssapi.debug false

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm TH.LOCAL

xmpp.fqdn th-snd-vmim01.th.local

xmpp.domain th-snd-vmim01.th.local

  1. Add krb5.ini to all clients in the Windows directory with the following contents:

[libdefaults]

default_realm = TH.LOCAL

[realms]

TH.LOCAL = {

kdc = th.local

admin_server = th.local

default_domain = TH.LOCAL

}

[domain_realm]

.th.local = TH.LOCAL

th.local = TH.LOCAL

  1. Add the following reg-key on all clients:

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

Add DWORD value AllowTGTSessionKey 1

Requires restart of your client host.

  1. Start Spark client, enter servername “th-snd-vmim01.th.local”, Click Advanced, SSO tab and enable SSO through GSSAPI.

  2. Login through SSO.

These are the steps I followed which made it work. Be sure to enter realm in uppercase in any place I have done and be sure that the keyfile validates correctly. I think these are the 2 most critical steps to get this up running. Hope this guide was helpfull!

Cheers!