Windows SSO procedure

Version 2

    This document is for users attempting to configure SSO for openfire in a windows environment (Windows Spark client, Windows Openfire server, Windows Active Directory).  I will attach samples of gss.conf, krb5.ini, krb5 registry settings for XP, and openfire.xml).  This is based on my successful SSO configuration.

     

    Items in Blue are case sensitive.  Items in Red are just to call attention to structure or naming.

     

    Here is my SSO method:

     

    • Bind server to AD with desired name to get a FQDN you can use (alias won’t work)
    • Install Openfire (do not configure yet)
    • Create 2 AD domain admin users:  1 to tie the keytab to and one to be the LDAP bind
    • Configure server now for AD LDAP
    • Generate the keytab on domain controller openfire will look at:
      • C:\>ktpass /princ xmpp/fqdn.of.chat.server@YOUR.DOMAIN.COM /mapuser xmpp-user@your.domain.com /pass * /out jabber.keytab
      • Copy the keytab file, jabber.keytab, to c:\Program Files\Openfire\resources
    • Create gss.conf as follows and copy to openfire server at c:\program files\openfire\conf:

    com.sun.security.jgss.accept {

    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="C:/Program Files/Openfire/resources/jabber.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="YOUR.DOMAIN.COM"
    principal="xmpp/fqdn.of.chat.server@YOUR.DOMAIN.COM"
    debug=true;

    };

    • Create krb5.ini as followsand copy to root of windows directory of every machine including the server:

    [libdefaults]

    default_realm = YOUR.DOMAIN.COM

    noaddresses = true

    [realms]

    DOMAIN.COM ={

    kdc = fqdn.of.domain.controller

    default_domain = your.domain.com

    }

    • Add the following to your openfire.xml:
      • After </connectionProvider>:

    <sasl>

    <!-- Include a comma-separated list of the authentication mechanisms to advertise support for to clients. Make sure GSSAPI is listed, and best if it's listed first. The order of mechanisms is important; clients should try to use the first mechanism they support (although not all will). Some clients will try to use the most secure first.

     

    You can add other mechanisms in order to support non-GSSAPI clients, or clients who cannot authenticate to the realm (like Windows 9X, off-site, and so on). Keep in mind that by allowing other mechanisms you are compromising the security of your realm. Be sure to talk to the Security Officer/Directory/Manager/Administrator about any policies your organization might have before enabling less secure mechanisms. By removing PLAIN and ANONYMOUS from the list, you will also disable non-SASL authentications.

     

    Keep in mind that a mechanism listed here might not actually be advertised, such as when the authProvider can't support the mechanism. PLAIN and ANONYMOUS mechanisms also enable non-SASL authentication (the old style XMPP auth), so removing them from this list will disallow non-SASL authentication. -->

     

    <!-- <mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->

    <mechs>GSSAPI </mechs>

     

    <!-- Specify the realm you used when you created the service principal and keytab.-->

    <realm>YOUR.DOMAIN.COM</realm>

     

    <!-- Mechanism-specific configuration here -->

    <gssapi>

    <!-- Use true to turn on debugging information. This adds a lot of noise to your log files, but it can help you spot problems sooner in the initial setup. -->

    <debug>true</debug>

     

    <!-- Specify the location of the GSSAPI configuration file you edited. -->

    <config>C:\Program Files\Openfire\conf\gss.conf</config>

     

    <!-- Sets the system property with the same name. You'll probably want "false" here (the default). For more details, see [http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html] -->

    <useSubjectCredsOnly>false</useSubjectCredsOnly>

    </gssapi>

    </sasl>

      • Within <Provider></Provider> add (optional, no longer needed in Openfire 3.5.x and above):

    <authorization>

    <classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider</classList>

    <!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy-->

    </authorization>

    • Add this to all XP SP2 machines registry:

     

     

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\

    Value Name: allowtgtsessionkey

    Value Type: REG_DWORD

    Value: 0x01

    • Start the Openfire Server
    • Try to connect via SSO