SSO Kerberos v5

[AGNaumov]

У меня сервер OpenFire на CentOS 7. Сервер введен в Microsoft Active Directory. На сервере для локальной сети (пользователей домена) реализована SSO авторизация клиентов по xmpp.keytab Kerberos v5, протестировано на клиентах Spark и Miranda. Нужно реализовать SSO авторизацию через xmpp.keytab Kerberos v5

Google translation by translator:

I have an OpenFire server on CentOS 7. The server is entered into Microsoft Active Directory. The server for the local network (domain users) has SSO authentication of clients using xmpp.keytab Kerberos v5, tested on Spark and Miranda clients. Need to implement SSO authentication through xmpp.keytab Kerberos v5

[AGNaumov]

Исправил изначальное сообщение, в первоначальном сообщении нашёл мою ошибку.

Google translation by translator:

Corrected the original message, found my error in the original message

[deleolajide]

Pàdé supports Windows SSO through NTLM using Waffle.
See #66

I have no plans to support SSO via Kerberos as it is complicated to setup for a web browser.

[AGNaumov]

Pàdé supports Windows SSO through NTLM using Waffle.
See #66

I have no plans to support SSO via Kerberos as it is complicated to setup for a web browser.

Да действительно есть сложности с настройкой веб браузера. Но они решаемы. Для Waffle нужно сервер openfire устанавливать на операционную систему Windows а у меня openfire установлен на операционной системе CentOS 7. SSO авторизация через xmpp.keytab Kerberos v5 - это универсальный способ подходящий для любого варианта установки сервера openfire. А с помощью GPO эти настройки можно сделать на всех компьютерах домена.
Может попробуем реализовать? С меня тестирование. И инструкция по настройке, если в ней будет необходимость.

Google translation by translator:

Yes indeed there are difficulties with setting up a web browser. But they are solvable. For Waffle, you need to install the openfire server on the Windows operating system and I have openfire installed on the CentOS 7 operating system. SSO authentication via xmpp.keytab Kerberos v5 is a universal way suitable for any installation option of the openfire server. And with the help of GPO, these settings can be made on all computers in the domain.
Can we try to implement? With me testing. And instructions for setting up if it is necessary.

[deleolajide]

I will investigate

[deleolajide]

I did some investigation and this is what I found.

1. There are NO changes needed to Pade in order to use Kerberos v5 SSO authentication. It will use the same method for Waffle NTM. It will request an access token for the user from the same secured web page used by Waffle in the Chat API plugin for Openfire. You may need to configure Chrome for Kerberos v5 SSO.

2. Changes are required in the Chat API Plugin for Openfire in order to support Kerberos v5 SSO authentication between Chrome browser and Jetty web server embedded in Openfire. I have made the required changes, but cannot confirm it works as I don't have a windows domain server to test with. Make sure you download and install openfire-chat-api plugin version 0.9.5 Release 1

In order to test this, you would need to:

1. Configure Pade for Windows SSO. See Implement Single Sign On (SSO) for Windows Enterprise Users #66.
2. Configure Openfire-Chat API for Kerberos. See screenshot below

Make sure you can access the secure web page at https://your-server:7443/sso/password from Openfire with NO prompt before you test Pade.

I used the following web pages for reference.

1. https://stackoverflow.com/questions/27427654/how-to-use-embedded-jetty-server-9-with-kerberos-authentication
2. https://discourse.igniterealtime.org/t/sso-configuration/49064

Best of luck

[AGNaumov]

Спасибо, буду пробовать. Пока занят чуть позже отпишусь.

Google translation by translator:

Thanks, I will try. While busy a little later accomplish your goal.

[AGNaumov]

Скачал и установил openfire-chat-api plugin version 0.9.5 Release 1. Возникла проблема со страницей https://your-server:7443/sso/password. Я правильно понимаю, что мне необходимо создать эту страницу через Jetty? (создать файл .java, скомпилировать его в .class и запустить на сервере openfire)

Google translation by translator:

Downloaded and installed openfire-chat-api plugin version 0.9.5 Release 1. There was a problem with the page https://your-server:7443/sso/password. Do I understand correctly that I need to create this page through Jetty? (create the file. java, compile it into .class and run on openfire server)

[deleolajide]

Do I understand correctly that I need to create this page through Jetty? (create the file. java, compile it into .class and run on openfire server)

No

Please download and install openfire-chat plugin. See https://github.com/igniterealtime/Openfire-Chat/releases/tag/v0.9.5-release1

Follow the steps here #132 (comment)

[AGNaumov]

Sample setup CentOS 7 OpenFire SSO via xmpp.keytab and http.keytab

A description of server configuration:

• Server is avalible from Internet and from Intranet

• Active Directory (AD DS): MYDOMAIN.LOC

• Domain name XMPP OpenFire: openfire.su

• Host name server OpenFire (FQDN): jabber.openfire.su
  Is important, letter case must be as in sample.

• Enter in the domain Active Directory (AD DS) the server CentOS 7 on which it is installed and configured OpenFire.
  After you enter the OpenFire server in the domain, you must create an Alias (GNAME) in the local DNS from the host name of the OpenFire server (FQDN):jabber.openfire.su to the name of the OpenFire server in the MS AD domain
  The actions of the controller AD

• In local DNS create a record DNS SRV
  Domain: openfire.su
  Service: _xmpp-client
  Protocol: tcp
  Port: 5222
  Host of this service: jabber.openfire.su

• Make users on AD controller (username and password may be any)
  xmpp-openfire / Password
  http-openfire / Password

• Make a SPN and associate it with user account openfire-xmpp:
  setspn -A xmpp/[email protected] openfire-xmpp
  ktpass -princ xmpp/[email protected] -mapuser [email protected] -pass Password -ptype KRB5_NT_PRINCIPAL

• Create file xmpp.keytab (path C:\Temp\http.keytab can be any):
  ktpass -princ xmpp/[email protected] -mapuser [email protected] -pass Password -ptype KRB5_NT_PRINCIPAL -out C:\Temp\xmpp.keytab

• Make a SPN and associate it with user account openfire-http:
  setspn -A HTTP/[email protected] openfire-http
  ktpass -princ HTTP/[email protected] -mapuser [email protected] -pass Password -ptype KRB5_NT_PRINCIPAL

• Create file http.keytab (path C:\Temp\http.keytab can be any):
  ktpass -princ HTTP/[email protected] -mapuser [email protected] -pass Password -ptype KRB5_NT_PRINCIPAL -out C:\Temp\http.keytab

• The resulting files should be copied to the server OpenFire in folder /opt/openfire

What to do on the server OpenFire

• Create file gss.conf (for xmpp clients)

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/opt/openfire/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="MYDOMAIN.LOC"
principal="xmpp/[email protected]"
isInitiator=false
debug=false;
};

• Create file spnego.conf (for Pade)
  ]
  com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="HTTP/[email protected]"
  keyTab="/opt/openfire/http.keytab"
  useKeyTab=true
  storeKey=true
  debug=false
  isInitiator=false;
  };

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="/opt/openfire/http.keytab"
storeKey=true
debug=false
isInitiator=false;
};

• Create file spnego.properties (for Pade)
  targetName = HTTP/jabber.openfire.su

• Create file krb5.ini (for Pade)
  [libdefaults]
  default_realm = MYDOMAIN.LOC
  default_keytab_name = FILE:/opt/openfire/xmpp.keytab
  permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
  default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
  default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5

[realms]
MYDOMAIN.LOC = {
kdc = ADSERVER.mydomain.loc
admin_server = ADSERVER.mydomain.loc
default_domain = MYDOMAIN.LOC
}

[domain_realm]
.mydomain.loc = MYDOMAIN.LOC
mydomain.loc = MYDOMAIN.LOC

[appdefaults]
autologin = true
forwardable = true

• Set rights:

chown daemon:daemon /opt/openfire/conf/gss.conf
chown daemon:daemon /opt/openfire/xmpp.keytab
chmod 440 /opt/openfire/xmpp.keytab
chown daemon:daemon /opt/openfire/conf/spnego.conf
chown daemon:daemon /opt/openfire/conf/spnego.properties
chown daemon:daemon /opt/openfire/conf/krb5.ini
chown daemon:daemon /opt/openfire/http.keytab
chmod 440 /opt/openfire/http.keytab

• Test keytabs:
  kinit -V -k -t /opt/openfire/xmpp.keytab xmpp/[email protected]
  answer must be
  Authenticated to Kerberos v5

kinit -V -k -t /opt/openfire/http.keytab HTTP/[email protected]
answer must be
Authenticated to Kerberos v5

• Delete the received tickets:
  kdestroy -A

• Open the web-site administration console Openfire, section System properties. Add parameters one by one (for xmpp clients):

sasl.gssapi.config = /opt/openfire/conf/gss.conf
sasl.gssapi.debug = false
sasl.gssapi.useSubjectCredsOnly = false
sasl.mechs = GSSAPI, PLAIN
sasl.realm = MYDOMAIN.LOC
xmpp.fqdn = jabber.openfire.su
Restart openfire
systemctl restart openfire.service

• Next go to section Web Clients / Chat API (for Pade)
  In the feild Kerberos set the trigger Kerberos Enabled and add parameters
  Realm: MYDOMAIN.LOC
  Spnego Config: /opt/openfire/conf/spnego.properties
  Auth Login Config: /opt/openfire/conf/spnego.conf
  KRB5 Config: /opt/openfire/conf/krb5.ini
  Save settings

• Next go to the section Server / Server settings / Registration & Enter set the trigger in table SASL mechanism on OFCHAT (for Pade)

• Restart service OpenFire: systemctl restart openfire.service

• Check OpenFire: systemctl status openfire.service

• If it’s all OK, go to clients PC settings.

• On user PC open regedit and set this parameters (for xmpp clients)
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  Add DWORD parameter
  AllowTGTSessionKey with the value 1.

• Reboot user PC.
  Tested on xmpp clients:
  Spark - SSO works correctly if: 1. Spark has started with administrative rights. 2. The computer was not locked since user login.
  Miranda – works OK.
  Pade - SSO KRB5 authorization does not work yet. Does not substitute the user and password.

[deleolajide]

Please make sure chat api plugin is enabled and restart openfire

First make sure SSO kerberos works between Chrome browser and Openfire Jetty web server by accessing web page https://jabber.openfire.su:7443/sso/password from your Chrome browser. I am assuming jabber.openfire.su is the FQDN of the openfire server and http-bind port is 7443.

If you get a browser username/password window, then it is not working. Recheck parameters or restart Openfire. You should NOT get a prompt and it should display you some data on the screen. If that happens, then you should test with Pade.

[AGNaumov]

Checked that Chat API is enabled. Still, when you try to log in, the login-password window appears.

Is it possible to view logs in jetty? We tested authorization from chrome on IIS, it works. It turns out that the problem is in the openfire settings and we can not yet find where exactly we need to configure.

[deleolajide]

To see Jetty logs, enable debug logging in openfire.
For more info about configuring Jetty with Kerberos, start from here - https://stackoverflow.com/questions/27427654/how-to-use-embedded-jetty-server-9-with-kerberos-authentication