20 Replies Latest reply on Oct 23, 2016 7:36 AM by speedy

    Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue

    Victor

      Howdy folks! Really excited about possibilities of Openfire product but really feeling terrible because I can't configure SSO. Want it so match but everything seems so cryptic and saw no clair instruction on how I suppose to configure OF 3.6.8 in conditions similar to mine. Error is typical, it correctly define username but authentification fails and it tells me about principal and server configuration issues. Server logs are giving me no clues as to what is happening when the client trying to authentificate on server. Ordinary authentification works perfect. Can somebody give me a link to instruction about configuring of SSO in similar to mine conditions? Also I have some questions about SSO configuration.

       

      1) krb5.conf (Openfire server 3.6.8) and krb5.ini (computers with Spark clients) should be the same. Am I right?

       

      2) What kind of packets should I apt-get install on my OF server? krb5, winbind, samba, ntpdate and what else?

       

      3) On DNS in reverse lookup zone I see no record (Host A) for xmpp/... Is it OK? Everything resolves without problems and I joined succesfully OF server to AD.

       

      Thanks in advance!

       

      P.S. definitely it is not a cakewalk to configure SSO with Openfire))

        • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
          speedy

          take a look at

          How to Setup  SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

           

          the processes is pretty much the same with linux ( in my testing anyway).   all the work is done at the domain controller, so all you have to do is adjust the paths in the gss.conf file and openfire system properties to work with linux.

           

          I don't believe you need a krb5.conf on the linux box.

          you will need a ptr record unless you disable the dns check within the clients krb5.ini

           

          also, OF is currently at 4.0.3...so you may want to upgrade..

            • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
              Victor

              No, I really don't want to install 4.0.3. I tested it and it haves several terrible glitches which make it virtually impossible to use (dissapearing roasters, UTF8 problems which can't be solved via previous solutions and etc). This PTR record what do mean by it? Everything resolves correctly so I think it exists. Just look at this output of nslookup which I made on domain controller:

               

              Default Server:  localhost

              Address:  127.0.0.1

               

              > communicator

              Server:  localhost

              Address:  127.0.0.1

               

              Name: communicator.domain.local

              Address:  10.97.100.7

               

              > 10.97.100.7

              Server:  localhost

              Address:  127.0.0.1

               

              Name: communicator.domain.local

              Address:  10.97.100.7

               

              Localhost is the domain controller and 10.97.100.7 is the address of the openfire server. Maybe I am having a problem because before adding Debian machine (Openfire server) to domain I manually created a record in DNS. Anyway should I add my Openfire server to a domain environment?

               

              And BTW I also used default_jre when I installed java for the openfire server (NOT the sun which is not allowed in repositories nowadays). May it be the source of the problem? My gss.conf is the following:

               

              root@COMMUNICATOR:~# cat /etc/openfire/gss.conf

              1. com.sun.security.auth.module.Krb5LoginModule

                  required

                  storeKey=true

              keyTab="/usr/share/openfire/resources/xmpp.keytab"

                  doNotPrompt=true

                  useKeyTab=true

                  realm="DOMAIN.LOCAL"

                  principal="xmpp/communicator.domain.local@DOMAIN.LOCAL"

                  isInitiator=false

                  debug=true;

              };

               

              Here is my krb5.conf (openfire server named COMMUNICATOR):

               

              root@COMMUNICATOR:# cat /etc/krb5.conf

              [libdefaults]

              default_realm = DOMAIN.LOCAL

                      kdc_timesync = 1

                      forwardable = true

                      proxiable = true

              default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

              default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

                      permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

               

              [realms]

                      DOMAIN.LOCAL = {

                        kdc = dc.domain.local

              default_domain = DOMAIN.LOCAL

                      }

               

              [domain_realm]

              .domain.local = DOMAIN.LOCAL

                      domain.local = DOMAIN.LOCAL

               

              Here is my krb5.ini for the client with Spark 2.7.7 installed (I dropped it in C:/Windows):

               

              [libdefaults]

              default_realm = DOMAIN.LOCAL

              default_tkt_enctypes = rc4-hmac

              default_tgs_enctypes = rc4-hmac

               

              [realms]

                      DOMAIN.LOCAL = {

                        kdc = dc.domain.local

              default_domain = DOMAIN.LOCAL

                      }

               

              [domain_realm]

              .domain.local = DOMAIN.LOCAL

                      domain.local = DOMAIN.LOCAL

               

              I added the following DWORD parameter to registry of the clients (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters):

               

              allowtgtsessionkey = 1

               

              And I added the following values to my OF server System Properties:

               

              1. sasl.gssapi.config = /etc/openfire/gss.conf
              2. sasl.gssapi.debug = false
              3. sasl.gssapi.useSubjectCredsOnly = false
              4. sasl.mechs = GSSAPI
              5. sasl.realm = DOMAIN.LOCAL
              6. xmpp.fqdn = communicator.domain.local

               

              What else can I do? Really it so difficult to understand why it doesn't work. Also I turned on some debugging on a Spark and it writes the following:

            • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
              speedy

              a common mistake is to make sure your xmpp.domain matches what you used for your SPN

                • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                  Victor

                  Can you be such a nice person and point the exact line with a mistake and write down how it should look like. Thank you.

                    • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                      speedy

                      when you sign into your openfire admin console, what do you have for "Server Name"? Does that match what you used when you created your SPN?

                        • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                          Victor

                          Hmm...I am having communicator there because this is the name of my openfire server and it resolves correctly via DNS. I tried ip address there and tried to write fqdn there (like communicator.domain.local). My user for openfire name is xmpp_user (password never expires and Kerberos preauthentificate). So in my case what should be in the Server Name field?

                           

                          Well...Here is the output of commands which I issued on a domain controller (BTW I have two of them):

                           

                          Microsoft Windows [Version 6.1.7601]

                          Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

                          C:\Users\Administrator>setspn -A xmpp/communicator.domain.local@DOMAIN.LOCAL

                          xmpp-openfire

                          Registering ServicePrincipalNames for CN=xmpp-openfire,OU=Service Accounts,DC=domain, DC=local

                          xmpp/communicator.domain.local@DOMAIN.LOCAL

                          Updated object

                           

                          C:\Users\Administrator>ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL

                          .INT -mapuser xmpp-openfire@domain.local -pass * -ptype KRB5_NT_PRINCIPAL

                          Targeting domain controller: dc.domain.local

                          Successfully mapped xmpp/communicator.domain.local to xmpp-openfire.

                          Type the password for xmpp/communicator.domain.local:

                          Type the password again to confirm:

                          Password succesfully set!

                          Key created.

                           

                          C:\Users\Administrator>ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL

                          .INT -mapuser xmpp-openfire@domain.local -pass * -ptype KRB5_NT_PRINCIPAL -out

                          xmpp.keytab

                          Targeting domain controller: dc.domain.local

                          Successfully mapped xmpp/communicator.domain.local to xmpp-openfire.

                          Type the password for xmpp/communicator.domain.local:

                          Type the password again to confirm:

                          Password succesfully set!

                          Key created.

                          Output keytab to xmpp.keytab:

                          Keytab version: 0x502

                          keysize 82 xmpp/communicator.domain.local@DOMAIN.LOCAL ptype 1 (KRB5_NT_PRIN

                          CIPAL) vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0x5cb572987582c0615b0b3244599e3

                          fbb)

                            • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                              speedy

                              the "Server Name" aka XMPP Domain,  is like that of the domain part in an email address.  This should NOT a shortname. It should be the  FQDN/FQHN, or the root of a domain (like igniterealtime.org). HOWERVER if you use the root of a domain, you'll then need to create SRV records that resolved to the fqdn/fqhn of the server.

                               

                              So, in your case, you created you SPN record to be communicator.domain.local, so your xmpp domain/server name should be communicator.domain.local and not just communicator.

                              Once you update this, your JID would be @communicator.domain.local instead of @communicator

                              Once you update this, you'll also need to regenerate your certs and possibly update your admin.authorizedJIDs. (if its there).

                                • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                                  Victor

                                  It sounds so complicated. However I think I understood that the username should be authomatically identified by SSO the following way: username@COMMUNICATOR.DOMAIN.LOCAL and NOT like username@DOMAIN.LOCAL. Am I right?

                                  Please, can you give me the exact commands for DC to make jabber domain correct?

                                    • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                                      speedy

                                      I can't give you the commands without knowing all the correct variables.

                                       

                                      think of your JID (xmpp address), like an email address

                                       

                                      email address is @whatever.com but uses an MX record so that clients can correctly resolve and find your server.  so your mx record may point to mailserver.whatever.com

                                       

                                      xmpp works kinda the same way.  if you want your xmpp domain to be @whatever.com, then you'll have to create a SRV record that clients can use to find the host its running on, like xmpp.whatever.com, but unlike email, you can also use the full server name as your domain, without SRV as long as its resolvable.  so instead of your domain being @whatever.com, it can be @xmpp.whatever.com without the SRV record as long as you have an A record for xmpp.whatever.com.

                                       

                                      Does that make sense?

                                       

                                      So...it depends on what you want to do...if this is internal only, and you can create a xmpp domain based on your internal network.  if you want to do some S2S, and federate to the outside, than you'll want to go another route.   So depending on what you decide, and what you name your "Server Name" or XMPP Domain, will decide on what you use going forward.

                                      1 of 1 people found this helpful
                          • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                            speedy

                            so for internal only, you can probably get by using communicator.domain.local as your Server Name/xmpp domain

                             

                            since youve done all the SPN based an that, there shouldn't be much else for you to do except delete the old cert and recreate it, plus update your admin.authorizedJIDs before restarting

                              • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                                Victor

                                What about SVR records? I have none (only Host A record). Should I create this 3 records in DNS:

                                 

                                xmpp-server.tcp.domain.local IN SRV 0 0 5269 communicator.domain.local.

                                xmpp-client.tcp.domain.local IN SRV 0 0 5222 communicator.domain.local.

                                jabber.tcp.domain.local IN SRV 0 0 5269 communicator.domain.local

                                 

                                DNS is completely different server (domain controller) than COMMUNICATOR in my environment.

                                    • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                                      Victor

                                      speedy написал(а):

                                       

                                      since youve done all the SPN based an that, there shouldn't be much else for you to do except delete the old cert and recreate it, plus update youradmin.authorizedJIDs before restarting

                                      Oh my...This is a new experience for me and the questions are the following:

                                       

                                      1) How to delete the old cert? You mean to delete keytab.xmpp which I put onto /usr/share/openfire/resources on COMMUNICATOR and to generate it again with the command like this on DC:

                                      >ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL -mapuser xmpp-openfire@domain.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

                                      Am I right?

                                       

                                      2) How to update myadmin.authorizedJIDs? Never heard about it.

                                      • Re: Openfire 3.6.8 (Debian 7)+Spark 2.7.7 (Windows 8)+ AD (DC - WinSvr2008R2) SSO issue
                                        Victor

                                        OK. I understood about the certificates and AdminJID. I want to clarify:

                                         

                                        speedy написал(а):

                                        so for internal only, you can probably get by using communicator.domain.local as your Server Name/xmpp domain

                                        since youve done all the SPN based an that

                                        speedy написал(а):

                                         

                                        when you sign into your openfire admin console, what do you have for "Server Name"? Does that match what you used when you created your SPN?

                                        Server Name - communicator.domain.local

                                         

                                        C:\Users\Administrator>setspn -A xmpp/communicator.domain.local@DOMAIN.LOCAL

                                        xmpp-openfire

                                        Registering ServicePrincipalNames for CN=xmpp-openfire,OU=Service Accounts,DC=domain,DC=local

                                        xmpp/communicator.domain.local@DOMAIN.LOCAL

                                        Updated object

                                         

                                        xmpp-openfire it is my special user in AD for Kerberos.

                                         

                                        Is there is a mistake according to what you wrote before?

                                        speedy написал(а):

                                        a common mistake is to make sure your xmpp.domain matches what you used for your SPN

                                        Then how it should be? I am totally confused. As far as I undestood when I issue this commands on a domain controller they should look like this:

                                         

                                        1) Creating an SPN for xmpp service pointing to the Openfire server and special Kerberos user account

                                         

                                        C:\Users\Administrator>setspn -A xmpp/communicator.domain.local@DOMAIN.LOCAL

                                        xmpp-openfire

                                         

                                        2) Making a tie between SPN and Kerberos user account in AD

                                         

                                        C:\Users\Administrator>ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL

                                        .INT -mapuser xmpp-openfire@communicator.domain.local -pass * -ptype KRB5_NT_PRINCIPAL

                                         

                                        3) Generating a keytab file for APN and Kerberos user account

                                         

                                        C:\Users\Administrator>ktpass -princ xmpp/communicator.domain.local@DOMAIN.LOCAL

                                        .INT -mapuser xmpp-openfire@communicator.domain.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

                                         

                                        I underlined what I don't included in my commands in current installation. After issuing new commands I should put new xmpp.keytab into /usr/share/openfire/resources and changing ownership to this file with this:

                                         

                                        # cd /usr/share/openfire/resources

                                        # chown openfire:openfire xmpp.keytab

                                         

                                        After all of this stuff I

                                        speedy написал(а):

                                        delete the old cert and recreate it, plus update youradmin.authorizedJIDs before restarting

                                         

                                        Am I described the correct way to fix the SSO troubles?