Wildfire 3 and Integrated Windows Authentication

Big thanks for new plugin. Works fine with Pandion

normanr wrote:

Hrm, I’'ve just upgraded to Wildfire 3.0.1 (at work) today. Both Pandion, Psi, and the admin console

Do you have Psi working through SASL or uid/password?

Well, I found a problem. I didn’‘t realize a difference between jive.provider.authorization and jive.provider.auth, I supposed they’'re same and deleted jive.provider.auth. Now I returned it back and wildfire is working as it should be.

Thank you, normanr.

As far as I can figure out:

jive.provider.authorization provides authorization

jive.provider.auth provides authentication

This is all part of the: I’‘m authenticating as myself, but want authorization to use the ‘‘sales’’ jabber account, or alternatively I’‘m authenticating as an admin, but want authorization to use Joe Blog’'s jabber account.

Tricky eh?

normanr wrote:

As far as I can figure out:

jive.provider.authorization provides authorization

jive.provider.auth provides authentication

That is correct. The original WIldfire code (and many, many other applications) didnt distinguish between authentication and authorization- it was one step. My code changes seperated the functions out because Kerberos only does authentication, and the principals (Kerberos usernames) will never match the usernames. So the authorization code went in to provide the logic to have policy or mappings between principals and usernames. But, I cant go back and change all the old code, the old “auth” references still stand, and mostly mean authentication. Ideally they should get renamed to “authentication” but thats not always easy to do.

What clients may work through SASL with your Wildfire plugin? I try Pandion, Psi, Exodus, Miranda.

Only Pandion works

So far only Pandion supports NTLM. I think Gaim supports GSSAPI, and Spark 1.2 should support GSSAPI too. Java 1.6 will make GSSAPI work without messing around with keytabs, which is also a good thing™ - beta 2 is out, and should support it.

Java6 will will still need keytabs for Kerberos GSSAPI (that is how Kerberos works), but SPNEGO GSS should be implemented meaning it can take advantage of the system credentials automagically, hopfully.

The big advantage will be getting away from single DES encryption and allowing things like AES256. But, one improvement is supposedly Native GSS integration, meaning it will use the kerberos libraries on the system instead of Java’'s own implementation. This is good, as it will reduce incompatabilities. Ive heard rumor that it will only happen for Solaris, though.

Gaim 1.5 dosnt do GSSAPI natively, but there are patches out there for it. Gaim 2.0 uses more generic SASL libraries, which can then in turn use GSSAPI.

Thank you for answers.

I see, that Pandion is the only way. It’‘s nice client and it can be easily spread in my network. But it needs ie5.5 and I must upgrade many of client comps That’'s why i was asking for something else.


I’'m not sure to understand fully what is available:

The version 3 from wildfire has in its changelog “Added support for Kerberos/NTLM”

What is really inside ? GSSAPI or GSS-SPNEGO or full SASL which provide GSSAPI ?

Out-of-the-box experience: no enhancements.

Configuration changes: support for Java’'s GSSAPI implementation.

Add my Sasl Mechanisms Plugin: support for any SASL mechanism that Java knows about.

Add my Sasl-SSPI bridge: support for any SSPI mechansim that Windows knows about (NTLM tested, Kerberos untested - 50% chance of it working).

Has anything changed in version 3.1 regarding authentication?

I had the integrated authentication working fine on 3.0.1 with Pandion but it stopped working after i updated to 3.1

I can see all my users in the admin console and i can login with Pandion thru regular login but not with my windows authentication.

I don’‘t know if the new changes in the way Wildfire handles LDAP it’'s creating a problem.

Any inputs???

I noticed that when I upgraded from 2.6 to 3.0 that the SASL bridge stuff was uninstalled (by the wildfire upgrade process). So I just re-installed it and it was happy again. This is due to the places that the config entry hooks in, etc. Creating a more ‘‘robust’’ super-plugin that can withstand upgrades is on my todo list, but it’'s not urgent - because the plugin can always be re-installed manually.

I did a clean install of 3.1 and reinstalled the plugin and it started working again. I also downloaded V5 of the plugin since i was using V4 previously.

I’‘m sorry I’‘m coming into this thread late and didn’'t understand some of the acronyms earlier on.

I installed Wildfire 3.10 on a windows2k box and we have it talking to out win2k3 AD through LDAP.

How do I go about getting pandion to connect using NTLM?

Is it a wildfire plugin?

Thank you,


The easiest is grab the sasl-sspi stuff from http://norman.rasmussen.co.za/dl/sasl-sspi/. Follow the install instructions (you’'ll need to re-install it if you upgrade). It uses a few seperate parts to make everything work: the sasl-sspi bridge (java jar, native c dll, and a jre config chage), a wildfire sasl plugin, and a wildfire config change.

First thank you, I got plugin, installed the files and made the changes to my wildfire.xml and java.security. I restarted the wildfire service and I am still able to log on using the user name and password but when I change to “intergrated Windows Authentication” I’'m not sure what to put to make a successful logon.

I apologize for sounding like I have no idea what I’'m doing but…

Is there something else I need to do in the wildfire admin webpage?

Thanks again,


So if you jid is user@server.com, then you type in server.com in Pandion.

That’'s what I thought but, my jid is mshellard@u1 technically, I think.

I use mshellard to login to the webadmin page.

The name of the computer that wildfire is installed on is u1 and the domain is cbi-inet.com

When I put either u1 or u1.cbi-inet or u1.cbi-inet.com I just get booted off the server saying unknown user name.

I saw a pdf that mentioned doing something with a file called XMPPOnStream.js but I didn’'t understand what to do with it. Do I still need to do something with it in Pandion 2.5?

Here is my wildfire.xml could you please take a look and see if I edited it correctly?

Thanks a ton,














org.jivesoftware.wildfire.sasl.StrictAuthorizationPolicy org.jivesoftware.wildfire.sasl.DefaultAuthorizationPolicy


This is wrong (whitespace removed for readability):

setting to what your NTDOMAIN portion of your username is. So if you’‘re log into windows as “CBI-INET.COM\mshellard” then that’'s fine. (It should match echo %USERDOMAIN%\%USERNAME% at cmd.exe prompt)


Thank you. You are the best.

Thanks to your plugin and assistance I have been able to full fill my bosses requests and we now had a server that supports Pandion connection without putting in a password.

I changed both things in my wildfire.xml and it works like a champ.

Have a great night,


Message was edited by: branchms