SSO Kerberos v5

[AGNaumov]

У меня сервер OpenFire на CentOS 7. Сервер введен в Microsoft Active Directory. На сервере для локальной сети (пользователей домена) реализована SSO авторизация клиентов по xmpp.keytab Kerberos v5, протестировано на клиентах Spark и Miranda. Нужно реализовать SSO авторизацию через xmpp.keytab Kerberos v5

Google translation by translator:

I have an OpenFire server on CentOS 7. The server is entered into Microsoft Active Directory. The server for the local network (domain users) has SSO authentication of clients using xmpp.keytab Kerberos v5, tested on Spark and Miranda clients. Need to implement SSO authentication through xmpp.keytab Kerberos v5

[AGNaumov]

Исправил изначальное сообщение, в первоначальном сообщении нашёл мою ошибку.

Google translation by translator:

Corrected the original message, found my error in the original message

[deleolajide]

Pàdé supports Windows SSO through NTLM using Waffle. See https://github.com/igniterealtime/Pade/issues/66

I have no plans to support SSO via Kerberos as it is complicated to setup for a web browser.

[AGNaumov]

Pàdé supports Windows SSO through NTLM using Waffle. See #66

I have no plans to support SSO via Kerberos as it is complicated to setup for a web browser.

Да действительно есть сложности с настройкой веб браузера. Но они решаемы. Для Waffle нужно сервер openfire устанавливать на операционную систему Windows а у меня openfire установлен на операционной системе CentOS 7. SSO авторизация через xmpp.keytab Kerberos v5 - это универсальный способ подходящий для любого варианта установки сервера openfire. А с помощью GPO эти настройки можно сделать на всех компьютерах домена. Может попробуем реализовать? С меня тестирование. И инструкция по настройке, если в ней будет необходимость.

Google translation by translator:

Yes indeed there are difficulties with setting up a web browser. But they are solvable. For Waffle, you need to install the openfire server on the Windows operating system and I have openfire installed on the CentOS 7 operating system. SSO authentication via xmpp.keytab Kerberos v5 is a universal way suitable for any installation option of the openfire server. And with the help of GPO, these settings can be made on all computers in the domain. Can we try to implement? With me testing. And instructions for setting up if it is necessary.

[deleolajide]

I will investigate

[deleolajide]

I did some investigation and this is what I found.

1. There are NO changes needed to Pade in order to use Kerberos v5 SSO authentication. It will use the same method for Waffle NTM. It will request an access token for the user from the same secured web page used by Waffle in the Chat API plugin for Openfire. You may need to configure Chrome for Kerberos v5 SSO.

2. Changes are required in the Chat API Plugin for Openfire in order to support Kerberos v5 SSO authentication between Chrome browser and Jetty web server embedded in Openfire. I have made the required changes, but cannot confirm it works as I don't have a windows domain server to test with. Make sure you download and install openfire-chat-api plugin version 0.9.5 Release 1

In order to test this, you would need to:

1. Configure Pade for Windows SSO. See https://github.com/igniterealtime/Pade/issues/66.
2. Configure Openfire-Chat API for Kerberos. See screenshot below

Make sure you can access the secure web page at https://your-server:7443/sso/password from Openfire with NO prompt before you test Pade.

I used the following web pages for reference.

1. https://stackoverflow.com/questions/27427654/how-to-use-embedded-jetty-server-9-with-kerberos-authentication
2. https://discourse.igniterealtime.org/t/sso-configuration/49064

Best of luck

[AGNaumov]

Спасибо, буду пробовать. Пока занят чуть позже отпишусь.

Google translation by translator:

Thanks, I will try. While busy a little later accomplish your goal.

[AGNaumov]

Скачал и установил openfire-chat-api plugin version 0.9.5 Release 1. Возникла проблема со страницей https://your-server:7443/sso/password. Я правильно понимаю, что мне необходимо создать эту страницу через Jetty? (создать файл .java, скомпилировать его в .class и запустить на сервере openfire)

Google translation by translator:

Downloaded and installed openfire-chat-api plugin version 0.9.5 Release 1. There was a problem with the page https://your-server:7443/sso/password. Do I understand correctly that I need to create this page through Jetty? (create the file. java, compile it into .class and run on openfire server)

[deleolajide]

Do I understand correctly that I need to create this page through Jetty? (create the file. java, compile it into .class and run on openfire server)

No

Please download and install openfire-chat plugin. See https://github.com/igniterealtime/Openfire-Chat/releases/tag/v0.9.5-release1

Follow the steps here https://github.com/igniterealtime/Pade/issues/132#issuecomment-473236674

[AGNaumov]

Sample setup CentOS 7 OpenFire SSO via xmpp.keytab and http.keytab

A description of server configuration:

• Server is avalible from Internet and from Intranet

• Active Directory (AD DS): MYDOMAIN.LOC

• Domain name XMPP OpenFire: openfire.su

• Host name server OpenFire (FQDN): jabber.openfire.su Is important, letter case must be as in sample.

• Enter in the domain Active Directory (AD DS) the server CentOS 7 on which it is installed and configured OpenFire. After you enter the OpenFire server in the domain, you must create an Alias (GNAME) in the local DNS from the host name of the OpenFire server (FQDN):jabber.openfire.su to the name of the OpenFire server in the MS AD domain The actions of the controller AD

• In local DNS create a record DNS SRV Domain: openfire.su Service: _xmpp-client Protocol: tcp Port: 5222 Host of this service: jabber.openfire.su

• Make users on AD controller (username and password may be any) xmpp-openfire / Password http-openfire / Password

• Make a SPN and associate it with user account openfire-xmpp: setspn -A xmpp/jabber.openfire.su@MYDOMAIN.LOC openfire-xmpp ktpass -princ xmpp/jabber.openfire.su@MYDOMAIN.LOC -mapuser openfire-xmpp@mydomain.loc -pass Password -ptype KRB5_NT_PRINCIPAL

• Create file xmpp.keytab (path C:\Temp\http.keytab can be any): ktpass -princ xmpp/jabber.openfire.su@MYDOMAIN.LOC -mapuser openfire-xmpp@mydomain.loc -pass Password -ptype KRB5_NT_PRINCIPAL -out C:\Temp\xmpp.keytab

• Make a SPN and associate it with user account openfire-http: setspn -A HTTP/jabber.openfire.su@MYDOMAIN.LOC openfire-http ktpass -princ HTTP/jabber.openfire.su@MYDOMAIN.LOC -mapuser openfire-http@mydomain.loc -pass Password -ptype KRB5_NT_PRINCIPAL

• Create file http.keytab (path C:\Temp\http.keytab can be any): ktpass -princ HTTP/jabber.openfire.su@MYDOMAIN.LOC -mapuser openfire-http@mydomain.loc -pass Password -ptype KRB5_NT_PRINCIPAL -out C:\Temp\http.keytab

• The resulting files should be copied to the server OpenFire in folder /opt/openfire

What to do on the server OpenFire

• Create file gss.conf (for xmpp clients)

com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/opt/openfire/xmpp.keytab" doNotPrompt=true useKeyTab=true realm="MYDOMAIN.LOC" principal="xmpp/jabber.openfire.su@MYDOMAIN.LOC" isInitiator=false debug=false; };

• Create file spnego.conf (for Pade) ] com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/jabber.openfire.su@MYDOMAIN.LOC" keyTab="/opt/openfire/http.keytab" useKeyTab=true storeKey=true debug=false isInitiator=false; };

com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/jabber.openfire.su@MYDOMAIN.LOC" useKeyTab=true keyTab="/opt/openfire/http.keytab" storeKey=true debug=false isInitiator=false; };

• Create file spnego.properties (for Pade) targetName = HTTP/jabber.openfire.su

• Create file krb5.ini (for Pade) [libdefaults] default_realm = MYDOMAIN.LOC default_keytab_name = FILE:/opt/openfire/xmpp.keytab permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5

[realms] MYDOMAIN.LOC = { kdc = ADSERVER.mydomain.loc admin_server = ADSERVER.mydomain.loc default_domain = MYDOMAIN.LOC }

[domain_realm] .mydomain.loc = MYDOMAIN.LOC mydomain.loc = MYDOMAIN.LOC

[appdefaults] autologin = true forwardable = true

• Set rights:

chown daemon:daemon /opt/openfire/conf/gss.conf chown daemon:daemon /opt/openfire/xmpp.keytab chmod 440 /opt/openfire/xmpp.keytab chown daemon:daemon /opt/openfire/conf/spnego.conf chown daemon:daemon /opt/openfire/conf/spnego.properties chown daemon:daemon /opt/openfire/conf/krb5.ini chown daemon:daemon /opt/openfire/http.keytab chmod 440 /opt/openfire/http.keytab

• Test keytabs: kinit -V -k -t /opt/openfire/xmpp.keytab xmpp/jabber.openfire.su@MYDOMAIN.LOC answer must be Authenticated to Kerberos v5

kinit -V -k -t /opt/openfire/http.keytab HTTP/jabber.openfire.su@MYDOMAIN.LOC answer must be Authenticated to Kerberos v5

• Delete the received tickets: kdestroy -A

• Open the web-site administration console Openfire, section System properties. Add parameters one by one (for xmpp clients):

sasl.gssapi.config = /opt/openfire/conf/gss.conf sasl.gssapi.debug = false sasl.gssapi.useSubjectCredsOnly = false sasl.mechs = GSSAPI, PLAIN sasl.realm = MYDOMAIN.LOC xmpp.fqdn = jabber.openfire.su Restart openfire systemctl restart openfire.service

• Next go to section Web Clients / Chat API (for Pade) In the feild Kerberos set the trigger Kerberos Enabled and add parameters Realm: MYDOMAIN.LOC Spnego Config: /opt/openfire/conf/spnego.properties Auth Login Config: /opt/openfire/conf/spnego.conf KRB5 Config: /opt/openfire/conf/krb5.ini Save settings

• Next go to the section Server / Server settings / Registration & Enter set the trigger in table SASL mechanism on OFCHAT (for Pade)

• Restart service OpenFire: systemctl restart openfire.service

• Check OpenFire: systemctl status openfire.service

• If it’s all OK, go to clients PC settings.

• On user PC open regedit and set this parameters (for xmpp clients) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters Add DWORD parameter AllowTGTSessionKey with the value 1.

• Reboot user PC. Tested on xmpp clients: Spark - SSO works correctly if: 1. Spark has started with administrative rights. 2. The computer was not locked since user login. Miranda – works OK. Pade - SSO KRB5 authorization does not work yet. Does not substitute the user and password.

[deleolajide]

Please make sure chat api plugin is enabled and restart openfire

First make sure SSO kerberos works between Chrome browser and Openfire Jetty web server by accessing web page https://jabber.openfire.su:7443/sso/password from your Chrome browser. I am assuming jabber.openfire.su is the FQDN of the openfire server and http-bind port is 7443.

If you get a browser username/password window, then it is not working. Recheck parameters or restart Openfire. You should NOT get a prompt and it should display you some data on the screen. If that happens, then you should test with Pade.

[AGNaumov]

Checked that Chat API is enabled. Still, when you try to log in, the login-password window appears.

Is it possible to view logs in jetty? We tested authorization from chrome on IIS, it works. It turns out that the problem is in the openfire settings and we can not yet find where exactly we need to configure.

[deleolajide]

To see Jetty logs, enable debug logging in openfire. For more info about configuring Jetty with Kerberos, start from here - https://stackoverflow.com/questions/27427654/how-to-use-embedded-jetty-server-9-with-kerberos-authentication