AnsweredAssumed Answered

Openfire SSO

Question asked by Adam Kusmirek on Sep 17, 2016
Latest reply on Sep 17, 2016 by wroot

Hi All,

I would like to setup Openfire/SPARK with SSO and it doesn't work for me. I spend more than 20 hours diagnosing problems. Some solved, but know I need help.

 

My Environment:

 

Windows Server 2012 as Domain Controller (openfiredc.mc.gov.pl)

Windows 10 system connected to domain with SPARK 2.8.0 as xmpp client

Debian Jessie 8.5 as Openfire server (openfire.mc.gov.pl)

 

root@openfire:/usr/local# java -version

java version "1.8.0_101"

Java(TM) SE Runtime Environment (build 1.8.0_101-b13)

Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)

 

All systems synchronized with NTP

 

Forward and Reverse DNS configured including _kerberos and _xmpp SRV records

 

I think I've done everything according to SSO Configuration

 

Openfire Configuration:

 

/etc/krb5.conf:

[libdefaults]

        default_realm = MC.GOV.PL

[realms]

        MC.GOV.PL = {

                kdc = openfiredc.mc.gov.pl

                admin_server = openfiredc.mc.gov.pl

                default_domain = mc.gov.pl

        }

[domain_realm]

        .mc.gov.pl = MC.GOV.PL

        mc.gov.pl = MC.GOV.PL

 

Created XMPP SPN, mapping and keytab according to DOC-1060. Verification on Openfire server:

 

root@openfire:/usr/local# kinit -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfire.mc.gov.pl@MC.GOV.PL -V

Using default cache: /tmp/krb5cc_0

Using principal: xmpp/openfire.mc.gov.pl@MC.GOV.PL

Using keytab: /usr/share/openfire/resources/xmpp.keytab

Authenticated to Kerberos v5

 

gss.conf file:

 

root@openfire:/usr/local# cat /etc/openfire/gss.conf

com.sun.security.jgss.accept {

    com.sun.security.auth.module.Krb5LoginModule

    required

    storeKey=true

    keyTab="/usr/share/openfire/resources/xmpp.keytab"

    doNotPrompt=true

    useKeyTab=true

    realm="MC.GOV.PL"

    principal="xmpp/openfire.mc.gov.pl@MC.GOV.PL"

    isInitiator=false

    debug=true;

};

 

SASL configuration added to openfire.x

 

<sasl> 

    <mechs>GSSAPI</mechs> 

    <realm>MC.GOV.PL</realm> 

    <gssapi> 

        <debug>true</debug> 

        <config>/etc/openfire/gss.conf</config> 

        <useSubjectCredsOnly>false</useSubjectCredsOnly> 

    </gssapi> 

</sasl>

 

SPARK client configuration:

 

Registry modified according to DOC-1060

SSO use krb5.ini

 

Problem Description:

 

SPARK starts xmpp conversation

 

stream:stream xmlns='jabber:client' to='mc.gov.pl' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='Administrator@mc.gov.pl' xml:lang='en'>

<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>

 

Openfire Server answers:

 

<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="mc.gov.pl" id="5j5dchu0oz" xml:lang="en" version="1.0">

<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>

<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

 

SPARK sends TGS-REQ for krbtgt@MC.GOV.PL (MC.GOV.PL) and receives ticket TGS-REP

SPARK sends TGS-REQ for xmpp@openfire.mc.gov.pl (MC.GOV.PL)  and receives ticket TGS-REP

 

SPARK sends xmpp message to Openfire Server:

 

<stream:stream xmlns='jabber:client' to='mc.gov.pl' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='Administrator@mc.gov.pl' xml:lang='en'>

<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='GSSAPI'>YIIFRgYJKoZIhvcSAQICAQBuggU1MIIFMaADAgEFoQMCAQ6iBwMFACAAAACj ggRXYYIEUzCCBE+gAwIBBaELGwlNQy5HT1YuUEyiJTAjoAM

.................................

CAQChHDAaGwR4bXBwGxJvcGVuZmlyZS5tYy5nb3YucGyjggQSMIIEDqADAgEXoQMCAQWiggQABIID/MZ 6nikvfX9DDiF9hmxK1IiQEtFVQLvjRIBIiEY2W8BMjd24sVIbdig0fGAimw1diRuYvL6iX6caBrug==< /auth>

 

And this is the moment where Openfire has problem

 

Openfire sends answer to SPARK

 

<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="mc.gov.pl" id="5j5dchu0oz" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism></mechani sms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>

<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>

 

In logs I can see only

 

2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 5

Queue : [MESSAGE_RECEIVED, ]

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 5

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 5

2016.09.17 21:03:02 INFO  [socket_c2s-thread-3]: org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.filter.ssl.SslFilter - Session Server[5](SSL): Writing Message : WriteRequest: HeapBuffer[pos=0 lim=77 cap=128: 3C 66 61 69 6C 75 72 65 20 78 6D 6C 6E 73 3D 22...]

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-3]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 5

2016.09.17 21:03:02 DEBUG [NioProcessor-2]: org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 5

Queue : [MESSAGE_SENT, ]

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 5

2016.09.17 21:03:02 DEBUG [socket_c2s-thread-2]: org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 5

 

Please Help, I have no idea what is wrong.

 

Regards Adam

Outcomes