2 Replies Latest reply on Sep 17, 2016 12:25 PM by wroot

    Openfire SSO

    Adam Kusmirek

      Hi All,

      I would like to setup Openfire/SPARK with SSO and it doesn't work for me. I spend more than 20 hours diagnosing problems. Some solved, but know I need help.

       

      My Environment:

       

      Windows Server 2012 as Domain Controller (openfiredc.mc.gov.pl)

      Windows 10 system connected to domain with SPARK 2.8.0 as xmpp client

      Debian Jessie 8.5 as Openfire server (openfire.mc.gov.pl)

       

      root@openfire:/usr/local# java -version

      java version "1.8.0_101"

      Java(TM) SE Runtime Environment (build 1.8.0_101-b13)

      Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)

       

      All systems synchronized with NTP

       

      Forward and Reverse DNS configured including _kerberos and _xmpp SRV records

       

      I think I've done everything according to SSO Configuration

       

      Openfire Configuration:

       

      /etc/krb5.conf:

      [libdefaults]

              default_realm = MC.GOV.PL

      [realms]

              MC.GOV.PL = {

                      kdc = openfiredc.mc.gov.pl

                      admin_server = openfiredc.mc.gov.pl

                      default_domain = mc.gov.pl

              }

      [domain_realm]

              .mc.gov.pl = MC.GOV.PL

              mc.gov.pl = MC.GOV.PL

       

      Created XMPP SPN, mapping and keytab according to DOC-1060. Verification on Openfire server:

       

      root@openfire:/usr/local# kinit -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfire.mc.gov.pl@MC.GOV.PL -V

      Using default cache: /tmp/krb5cc_0

      Using principal: xmpp/openfire.mc.gov.pl@MC.GOV.PL

      Using keytab: /usr/share/openfire/resources/xmpp.keytab

      Authenticated to Kerberos v5

       

      gss.conf file:

       

      root@openfire:/usr/local# cat /etc/openfire/gss.conf

      com.sun.security.jgss.accept {

          com.sun.security.auth.module.Krb5LoginModule

          required

          storeKey=true

          keyTab="/usr/share/openfire/resources/xmpp.keytab"

          doNotPrompt=true

          useKeyTab=true

          realm="MC.GOV.PL"

          principal="xmpp/openfire.mc.gov.pl@MC.GOV.PL"

          isInitiator=false

          debug=true;

      };

       

      SASL configuration added to openfire.x

       

      <sasl> 

          <mechs>GSSAPI</mechs> 

          <realm>MC.GOV.PL</realm> 

          <gssapi> 

              <debug>true</debug> 

              <config>/etc/openfire/gss.conf</config> 

              <useSubjectCredsOnly>false</useSubjectCredsOnly> 

          </gssapi> 

      </sasl>

       

      SPARK client configuration:

       

      Registry modified according to DOC-1060

      SSO use krb5.ini

       

      Problem Description:

       

      SPARK starts xmpp conversation

       

      stream:stream xmlns='jabber:client' to='mc.gov.pl' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='Administrator@mc.gov.pl' xml:lang='en'>

      <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>

       

      Openfire Server answers:

       

      <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="mc.gov.pl" id="5j5dchu0oz" xml:lang="en" version="1.0">

      <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>

      <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

       

      SPARK sends TGS-REQ for krbtgt@MC.GOV.PL (MC.GOV.PL) and receives ticket TGS-REP

      SPARK sends TGS-REQ for xmpp@openfire.mc.gov.pl (MC.GOV.PL)  and receives ticket TGS-REP

       

      SPARK sends xmpp message to Openfire Server:

       

      <stream:stream xmlns='jabber:client' to='mc.gov.pl' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='Administrator@mc.gov.pl' xml:lang='en'>

      <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='GSSAPI'>YIIFRgYJKoZIhvcSAQICAQBuggU1MIIFMaADAgEFoQMCAQ6iBwMFACAAAACj ggRXYYIEUzCCBE+gAwIBBaELGwlNQy5HT1YuUEyiJTAjoAM

      .................................

      CAQChHDAaGwR4bXBwGxJvcGVuZmlyZS5tYy5nb3YucGyjggQSMIIEDqADAgEXoQMCAQWiggQABIID/MZ 6nikvfX9DDiF9hmxK1IiQEtFVQLvjRIBIiEY2W8BMjd24sVIbdig0fGAimw1diRuYvL6iX6caBrug==< /auth>

       

      And this is the moment where Openfire has problem

       

      Openfire sends answer to SPARK

       

      <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="mc.gov.pl" id="5j5dchu0oz" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>

      <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>

       

      In logs I can see only

       

      2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 5

      Queue : [MESSAGE_RECEIVED, ]

      2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 5

      2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 5

      2016.09.17 21:03:02 INFO  [socket_c2s-thread-3]: org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

      2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.ssl.SslFilter - Session Server[5](SSL): Writing Message : WriteRequest: HeapBuffer[pos=0 lim=77 cap=128: 3C 66 61 69 6C 75 72 65 20 78 6D 6C 6E 73 3D 22...]

      2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 5

      2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 5

      Queue : [MESSAGE_SENT, ]

      2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 5

      2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 5

       

      Please Help, I have no idea what is wrong.

       

      Regards Adam