How do I enable Openfire to log my users in via Single Sign-On (SSO) and Username/Password?
I’m running Openfire 4.1.1 on Ubuntu 16.04
with Java Version 1.8.0_121 Oracle Corporation – Java HotSpot™ 64-Bit Server VM
Using Server 2012R2 Active Directory for SSO
Funny enough, I’ve done this once before and I don’t remember it being so damn hard…
I’ve referenced all the following articles:
https://www.leonroy.com/blog/2013/11/openfire-single-sign-on-sso/
https://community.igniterealtime.org/docs/DOC-1060
https://community.igniterealtime.org/docs/DOC-2706
https://issues.igniterealtime.org/browse/SPARK-1747
https://community.igniterealtime.org/thread/33734
I have basically followed this procedure (I say basically because I have started from scratch and troubleshooted this problem so much I’m not sure exactly what I did when)
AD Domain => i.domain.name
NetBIOS Name => i
IM Domain => im.domain.name
Kerberos Realm => I.DOMAIN.NAME
Kerberos KDC => I.DOMAIN.NAME (I think)
Domain Controller FQDN => dc1.i.domain.name
Openfire FQDN => server-im.i.domain.name (with CNAMEs im and openfire)
(also all DNS records in i.domain.name also have CNAMEs in domain.name)
Openfire Keytab file => /etc/openfire/security/openfire.keytab
GSS Principle => xmpp/xmpp-openfire@I.DOMAIN.NAME
Create a Domain account and ready Active Directory
I created a user: xmpp-openfire with a password PASSWORD
I then made sure that:
User cannot change password is checked
Password never expires is checked
Do not require Kerberos preauthentication is checked
User is a Domain Admin (overkill I think)
User is a Openfire Admin (also overkill)
I then created a load of Service Principal Names (SPN) for each and every possible domain name of the openfire server: (again probably overkill, but…) (might be the problem!!!)
setspn -A xmpp/im.i.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/openfire.i.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/server-im .i.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/im.i.domain.name xmpp-openfire
setspn -A xmpp/openfire.i.domain.name xmpp-openfire
setspn -A xmpp/server-im.i.domain.name xmpp-openfire
setspn -A xmpp/im.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/openfire.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/server-im.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/im.domain.name xmpp-openfire
setspn -A xmpp/openfire.domain.name xmpp-openfire
setspn -A xmpp/server-im.domain.name xmpp-openfire
setspn -A xmpp/xmpp-openfire@I.DOMAIN.NAME xmpp-openfire
I then mapped every SPN I created above to the account I created earlier:
ktpass -princ xmpp/im.i.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/openfire.i.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/server-im.i.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/im.i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/openfire.i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/server-im.i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/im.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/openfire.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/server-im.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/im.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/openfire.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/server-im.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/xmpp-openfire@I.DOMAIN.NAME -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
I then verified this all worked (so far) with the command:
C:\Users\username>setspn -L xmpp-openfire
Registered ServicePrincipalNames for CN=xmpp-openfire,CN=Users,DC=i,DC=domain,DC=name:
xmpp/server-im.domain.name
xmpp/openfire.domain.name
xmpp/im.domain.name
xmpp/server-im.i.domain.name
xmpp/openfire.i.domain.name
xmpp/im.i.domain.name
xmpp/server-im.domain.name@i.domain.name
xmpp/openfire.domain.name@i.domain.name
xmpp/im.domain.name@i.domain.name
xmpp/server-im.i.domain.name@i.domain.name
xmpp/openfire.i.domain.name@i.domain.name
xmpp/im.i.domain.name@i.domain.name
Configure the Ubuntu server for Kerberos and Samba
Create a keytab file to be used with openfire
On Openfire server, create the keytab file:
ktutil <<EOF
rkt /etc/openfire/security/openfire.keytab
addent -password -p xmpp-openfire@I.DOMAIN.NAME -k 1 -e RC4-HMAC
PASSWORD
wkt /etc/openfire/security/openfire.keytab
q
EOF
chown openfire:openfire /etc/openfire/security/openfire.keytab
Verify that the above was added properly:
root@server-im:~# klist -k /etc/openfire/security/openfire.keytab Keytab name: FILE:/etc/openfire/security/openfire.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 xmpp-openfire@I.DOMAIN.NAME
Modify /etc/krb5.conf file:
root@server-im:~# echo """
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = I.DOMAIN.NAME
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
kdc_timesync = 1
ccache_type = 4
proxiable = true
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true [appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
} [realms]
I.DOMAIN.NAME = {
kdc = dc1.i.domain.name:88
admin_server = i.domain.name
default_domain = i.domain.name
} [domain_realm]
.i.domain.name = I.DOMAIN.NAME
i.domain.name = I.DOMAIN.NAME
.domain.name = I.DOMAIN.NAME
domain.name = I.DOMAIN.NAME [login]
krb4_convert = true
krb4_get_tickets = false
""" > /etc/krb5.conf
Verify that the server can log in via kerberos using the keytab file:
root@server-im:~# kinit -kt /etc/openfire/security/openfire.keytab xmpp-openfire@I.DOMAIN.NAME -V Using default cache: /tmp/krb5cc_0 Using principal: xmpp-openfire@I.DOMAIN.NAME
Using keytab: /etc/openfire/security/openfire.keytab Authenticated to Kerberos v5 root@server-im:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: xmpp-openfire@I.DOMAIN.NAME
Valid starting Expires Service principal 30/03/17 12:33:54 30/03/17 22:33:54 krbtgt/I.DOMAIN.NAME@I.DOMAIN.NAME
renew until 30/03/17 22:33:54
Modify /etc/samba/smb.conf file:
echo """
[global]
workgroup = i
realm = I.DOMAIN.NAME
preferred master = no
server string = Openfire Instant Messaging Server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
#winbind enum users = Yes
#winbind enum groups = Yes
#winbind use default domain = Yes
#winbind nested groups = Yes
#winbind separator = +
#idmap uid = 600-20000
#idmap gid = 600-20000
template shell = /bin/bash
dns proxy = no
max log size = 10000
""" > /etc/samba/smb.conf
Setup Samba and join the Domain:
service smbd stop
service nmbd stop
service winbind stop
net ads join -U administrator
service smbd start
service nmbd start
service winbind start
Verify that Samba is working properly:
wbinfo -u
wbinfo -g
net ads info
net ads user
net ads group
Configure the Openfire server for Kerberos and GSSAPI
Modify the Openfire GSS config file
echo """com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/etc/openfire/security/openfire.keytab"
doNotPrompt=true
useKeyTab=true
realm="I.DOMAIN.NAME"
principal="xmpp/xmpp-openfire@I.DOMAIN.NAME"
debug=true
isInitiator=false;
};""" > /etc/openfire/gss.conf chown openfire:openfire /etc/openfire/gss.conf
Within Openfire Admin Console, modify the following System Properties:
sasl.gssapi.config /etc/openfire/gss.conf
sasl.gssapi.debug true
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS,GSSAPI
sasl.realm I.DOMAIN.NAME
Modify /etc/openfire/openfire.xml within add: (maybe provider.auth.className)
<authorization> <classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider</classList> <!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy--> </authorization>
Kerberos will not work unless the client is within 5 minutes of the server. This also means the Time Zones must be correct as well!
echo “Europe/Dublin” > /etc/timezone
And within Openfire Admin Console, modify the following System Property:
locale.timeZone Europe/Dublin
It is VERY important to get the right Time Zone and it might not be straight-forward as Microsoft uses COMPLETELY different names!
Configure DNS Service Records (SRV)
Setup the following DNS Records
_xmpp-server.tcp.i.domain.name. IN SRV 0 0 5269 server-im.i.domain.name.
_xmpp-client.tcp.i.domain.name. IN SRV 0 0 5222 server-im.i.domain.name.
_jabber.tcp.i.domain.name. IN SRV 0 0 5222 server-im.i.domain.name.
_jabber-client.tcp.i.domain.name. IN SRV 0 0 5222 server-im.i.domain.name.
_xmpp-server.tcp.domain.name. IN SRV 0 0 5269 server-im.i.domain.name.
_xmpp-client.tcp.domain.name. IN SRV 0 0 5222 server-im.i.domain.name.
_jabber.tcp.domain.name. IN SRV 0 0 5222 server-im.i.domain.name.
_jabber-client.tcp.domain.name. IN SRV 0 0 5222 server-im.i.domain.name.
From what I’m read and seen, this should be working!!! But it is not!!!
I’ve tried every variation I can think of and NOTHING!!!
Please help!
Bob