Openfire xmpp server on windows server 2012 r2 with spark sso

Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

Jonathan Murch

[email protected] Page 1


28 steps for configuring single sign on for Openfire 3.10.3 and Spark 2.7.3 with an Active

Directory Domain Services domain with a functional level of Windows Server 2012 R2.

This is the second article in a series of articles I intend on publishing to the ignite realtime

community, my first article was for configuring single sign on for Windows Server 2008 R2

and can be found here: https://community.igniterealtime.org/docs/DOC-2706

Future articles could include the configuration for Windows 8.1 and Windows 10 single sign

on.

This article was kindly funded by a member of the ignite realtime community who says:

“Without the efforts and ability of those who do this work and make it available for others,

many of our favourite programs would disappear so I appreciate every time I read a well-

documented process.” Community Member, California USA

Software Prerequisites

Windows Server 2012 R2

Windows 7 x64 SP1

Openfire 3.10.3 http://www.igniterealtime.org/downloads/download-landing.jsp?file=openfire/openfire_3_10_3.exe

Spark 2.7.3 http://www.igniterealtime.org/downloads/download-landing.jsp?file=spark/spark_2_7_3.exe

My Lab Setup

To test and document the configuration required to enable single sign on in a Windows

Server 2012 R2 domain, I built three virtual machines on my HP MicroServer with VMware

ESXi 6 as the host’s hypervisor.

AD1.test.com 10.0.0.1 Windows Server 2012 R2, Active Directory Domain Controller + DNS

APP1.test.com 10.0.0.2 Windows Server 2012 R2, Openfire Application Server

CLIENT1.test.com 10.0.0.3 Windows 7 x64 SP1, Spark IM client

mailto:[email protected]

https://community.igniterealtime.org/docs/DOC-2706

http://www.igniterealtime.org/downloads/download-landing.jsp?file=openfire/openfire_3_10_3.exe

http://www.igniterealtime.org/downloads/download-landing.jsp?file=spark/spark_2_7_3.exe


Jonathan Murch


Step by Step

Active Directory Configuration

Log on to the Domain Controller with a domain Administrator account.

1. Create a new account, for the lab I will use the logon name of xmpp-openfire, give the

account a secure password and record it for later, clearing the User must change

password at next logon flag. The account only needs to be a member of the Domain

Users security group. You can use which ever naming convention you wish for your

environment.

2. On the Account tab of the xmpp-openfire account, set the Account options to:

User cannot change password

Password never expires

Do not require Kerberos preauthentication

3. Create a standard user account; I created my own account Jonathan for testing later on.

4. Open a command prompt to create and assign a service principal name to the xmpp-

openfire account using the setspn utility. To use setspn you must run it from an elevated

command prompt.

setspn –U –S XMPP/app1.test.com xmpp-openfire

Replace app1.test.com with your Openfire application server and use the fully qualified

domain name.

5. From the same command prompt use the ktpass utility to map the Kerberos XMPP

service principal name created in the previous step to the xmpp-openfire account.

ktpass /princ XMPP/ [email protected] /mapuser [email protected] /pass *

/ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT

[email protected] is the full active directory username of the account. If you do

not put the name of the active directory domain that the account was created in on the

end, the utility may not be able to find the user account in active directory and report an

error. The /pass * parameter will indicate to the ktpass utility to prompt you for the

password for the xmpp-openfire account.



Jonathan Murch


6. From the same command prompt use the ktpass utility to create and export a keytab file.

As above, the utility will prompt for the xmpp-openfire account password.

ktpass /princ xmpp/[email protected] /mapuser [email protected] /pass *

/crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /out c:\xmpp.keytab

Keep the xmpp.keytab file safe for later as it will be needed during Openfire

configuration.

7. Configure group policy: (a) Enable the encryption types allowed to be used for Kerberos.

To simplify things in this lab I applied the settings to the default domain policy group

policy object. On the domain controller open: Control Panel, System and Security,

Administrative Tools and Group Policy Management

Computer Configuration >Policies >Windows Settings >Security Settings >Local

Policies >Security Options: Network Security: Configure encryption types allowed

for Kerberos

Enable all encryption types

(b) Also for the lab I disabled the Windows Firewall across the domain.

Computer Configuration >Policies >Windows Settings >Security Settings

>Windows Firewall with Advanced Security

8. In the domain name system (DNS) you will need to have a reverse lookup zone for the

subnet your servers are connected to because the spark client uses the Link Local

Multicast Name Resolution (LLMNR) protocol to perform name resolution for the

Openfire application server. Once you have created the zone, reboot your Openfire

application server and it will automatically add its own pointer (PTR) record into the

reverse look up zone. Your clients (Windows) should also add their own records to the

zone which is required.



Jonathan Murch


Openfire Application Server Configuration

Log on to the Openfire Application Server with a domain Administrator account.

9. Install Openfire 3.10.3 from openfire_3_10_3.exe accepting all defaults.

10. Open a command prompt and change directory to: C:\Program Files (x86)\Openfire\bin\

11. Open a command prompt and run the command: openfire-service /install to install

Openfire as a windows service, this has the benefit of the application starting and

stopping with the server.

12. Open a command prompt and run the command: openfire-service /start to start the

installed service.

13. Add to the registry the following key, this change allows java to access the windows

Kerberos ticket cache:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: AllowTGTSessionKey

Value Type: REG_DWORD

Value: 1

14. Back at step 5 we created the xmpp.keytab file, copy this to the Openfire application

server and save it to: C:\Program Files (x86)\Openfire\resources

15. Create a GSSAPI configuration file named gss.conf in:

C:\Program Files (x86)\Openfire\conf with Notepad. Here is my example:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab="C:/Program Files (x86)/Openfire/resources/xmpp.keytab"

doNotPrompt=true

useKeyTab=true

realm="TEST.COM"

principal="xmpp/[email protected]"

debug=true;

};



Jonathan Murch


The realm is your Kerberos realm and typically the active directory domain. The

principal is from step 4 where we bind the service principal name to the active directory

account.

The last line of the gss.conf file debug=true will tell Openfire to debug and log any

GSSAPI errors. This is useful while configuring SSO to track down any problems. Once

you have confirmed everything is working you can set it to debug=false. Also, make sure

you use / (forward slash) instead of \ (backward slash) in the keytab path.

16. Create a Kerberos configuration file with Notepad and save it as krb5.ini to C:\Windows

of the server. Here's my example of what the krb5.ini file should look like:

[libdefaults]

default_realm = TEST.COM

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]

TEST.COM = {

kdc = ad1.test.com

admin_server = ad1.test.com

default_domain = test.com

}

[domain_realms]

domain.com = TEST.COM

.domain.com = TEST.COM



Jonathan Murch


17. I choose to install Google Chrome to access the Openfire administrator console, I used

the offline installer available from here:

http://www.google.com/chrome/eula.html?system=true&standalone=1

18. Open the Openfire administrator console, for me this was: http://10.0.0.2:9090 and

complete the setup. The screenshots below represent my configuration.


http://www.google.com/chrome/eula.html?system=true&standalone=1

http://10.0.0.2:9090/


Jonathan Murch




Jonathan Murch


19. Login to the Openfire admin console and enable GSSAPI by adding and saving the

following properties on the System Properties section, be sure to replace my realm with

your own:

Property Name Property Value authorization.classList org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy

sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf

sasl.gssapi.debug true or false

sasl.gssapi.useSubjectCredsOnly False

sasl.mechs GSSAPI

sasl.realm TEST.COM

xmpp.fqdn app1.test.com

20. Restart the Openfire service for the changes to apply, and check the configuration is

reflected in the System Properties section on the Openfire administration console.

21. Reboot the server for the changes to take effect (Step 12 – registry change).



Jonathan Murch


Windows 7 x64 SP1 and Spark Client Configuration

Log on to the Windows 7 client with a domain Administrator account.

22. Add to the registry the following key, this change allows java to access the windows

Kerberos ticket cache:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: AllowTGTSessionKey

Value Type: REG_DWORD

Value: 1

23. Copy the krb5.ini we created in Step 15 from the Openfire application server C:\Windows

to the Windows 7 client C:\Windows

24. Install Spark 2.7.3 from spark_2_7_3.exe accepting all defaults.

25. Restart the Windows 7 client for the changes to take effect.

26. Login to the Windows 7 client with the domain user account created in step 3.

27. Open the Spark IM Client and select the Advanced button, SSO tab, and tick to select

Use Single Sign-On (SSO) via GSSAPI and OK.

28. Select Login

That’s its folks, 28 steps to single sign on with Openfire and Spark IM in a Windows Active

Directory 2012 R2 domain.

For more lab guides, tips and tricks keep an eye out or drop me an email.

Openfire and Spark should only be used in an enterprise/corporate environment where SSO is configured and

working. This is due to a vulnerability that gives Spark IM clients the ability to save the users active directory

password if not using SSO. Although the password is saved encrypted within the user’s profile, the key is

publically available and is the same for each deployment. This is a security risk to be aware of.


Openfire xmpp server on windows server 2012 r2 with spark sso

Technology