Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

28 steps for configuring single sign on for Openfire 3.10.3 and Spark 2.7.3 with an Active
Directory Domain Services domain with a functional level of Windows Server 2012 R2.

This is the second article in a series of articles I intend on publishing to the ignite realtime
community, my first article was for configuring single sign on for Windows Server 2008 R2
and can be found here: https://community.igniterealtime.org/docs/DOC-2706

Future articles could include the configuration for Windows 8.1 and Windows 10 single sign
on.

This article was kindly funded by a member of the ignite realtime community who says:

“Without the efforts and ability of those who do this work and make it available for others,
many of our favourite programs would disappear so I appreciate every time I read a well-
documented process.” Community Member, California USA

Software Prerequisites

Windows Server 2012 R2

Windows 7 x64 SP1

Openfire 3.10.3 http://www.igniterealtime.org/downloads/download-landing.jsp?file=openfire/openfire_3_10_3.exe

Spark 2.7.3 http://www.igniterealtime.org/downloads/download-landing.jsp?file=spark/spark_2_7_3.exe

My Lab Setup

To test and document the configuration required to enable single sign on in a Windows
Server 2012 R2 domain, I built three virtual machines on my HP MicroServer with VMware
ESXi 6 as the host’s hypervisor.

AD1.test.com 10.0.0.1 Windows Server 2012 R2, Active Directory Domain Controller + DNS

APP1.test.com 10.0.0.2 Windows Server 2012 R2, Openfire Application Server

CLIENT1.test.com 10.0.0.3 Windows 7 x64 SP1, Spark IM client

Jonathan Murch
jonathansmurch@gmail.com Page 1
 Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

Step by Step
Active Directory Configuration
Log on to the Domain Controller with a domain Administrator account.

1. Create a new account, for the lab I will use the logon name of xmpp-openfire, give the
account a secure password and record it for later, clearing the User must change
password at next logon flag. The account only needs to be a member of the Domain
Users security group. You can use which ever naming convention you wish for your
environment.

2. On the Account tab of the xmpp-openfire account, set the Account options to:
 User cannot change password
 Password never expires
 Do not require Kerberos preauthentication

3. Create a standard user account; I created my own account Jonathan for testing later on.

4. Open a command prompt to create and assign a service principal name to the xmpp-
openfire account using the setspn utility. To use setspn you must run it from an elevated
command prompt.
setspn –U –S XMPP/app1.test.com xmpp-openfire
Replace app1.test.com with your Openfire application server and use the fully qualified
domain name.

5. From the same command prompt use the ktpass utility to map the Kerberos XMPP
service principal name created in the previous step to the xmpp-openfire account.
ktpass /princ XMPP/ app1.test.com@TEST.COM /mapuser xmpp-openfire@test.com /pass *
/ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
xmpp-openfire@test.com is the full active directory username of the account. If you do
not put the name of the active directory domain that the account was created in on the
end, the utility may not be able to find the user account in active directory and report an
error. The /pass * parameter will indicate to the ktpass utility to prompt you for the
password for the xmpp-openfire account.

Jonathan Murch
jonathansmurch@gmail.com Page 2
 Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

6. From the same command prompt use the ktpass utility to create and export a keytab file.
As above, the utility will prompt for the xmpp-openfire account password.
ktpass /princ xmpp/app1.test.com@TEST.COM /mapuser xmpp-openfire@test.com /pass *
/crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /out c:\xmpp.keytab

Keep the xmpp.keytab file safe for later as it will be needed during Openfire
configuration.

7. Configure group policy: (a) Enable the encryption types allowed to be used for Kerberos.
To simplify things in this lab I applied the settings to the default domain policy group
policy object. On the domain controller open: Control Panel, System and Security,
Administrative Tools and Group Policy Management
 Computer Configuration >Policies >Windows Settings >Security Settings >Local
Policies >Security Options: Network Security: Configure encryption types allowed
for Kerberos
 Enable all encryption types
(b) Also for the lab I disabled the Windows Firewall across the domain.
 Computer Configuration >Policies >Windows Settings >Security Settings
>Windows Firewall with Advanced Security

8. In the domain name system (DNS) you will need to have a reverse lookup zone for the
subnet your servers are connected to because the spark client uses the Link Local
Multicast Name Resolution (LLMNR) protocol to perform name resolution for the
Openfire application server. Once you have created the zone, reboot your Openfire
application server and it will automatically add its own pointer (PTR) record into the
reverse look up zone. Your clients (Windows) should also add their own records to the
zone which is required.

Jonathan Murch
jonathansmurch@gmail.com Page 3
 Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

Openfire Application Server Configuration

Log on to the Openfire Application Server with a domain Administrator account.

9. Install Openfire 3.10.3 from openfire_3_10_3.exe accepting all defaults.

10. Open a command prompt and change directory to: C:\Program Files (x86)\Openfire\bin\

11. Open a command prompt and run the command: openfire-service /install to install
Openfire as a windows service, this has the benefit of the application starting and
stopping with the server.

12. Open a command prompt and run the command: openfire-service /start to start the
installed service.

13. Add to the registry the following key, this change allows java to access the windows
Kerberos ticket cache:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

14. Back at step 5 we created the xmpp.keytab file, copy this to the Openfire application
server and save it to: C:\Program Files (x86)\Openfire\resources

15. Create a GSSAPI configuration file named gss.conf in:

C:\Program Files (x86)\Openfire\conf with Notepad. Here is my example:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files (x86)/Openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="TEST.COM"
principal="xmpp/app1.test.com@TEST.COM"
debug=true;
};

Jonathan Murch
jonathansmurch@gmail.com Page 4
 Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

The realm is your Kerberos realm and typically the active directory domain. The
principal is from step 4 where we bind the service principal name to the active directory
account.

The last line of the gss.conf file debug=true will tell Openfire to debug and log any
GSSAPI errors. This is useful while configuring SSO to track down any problems. Once
you have confirmed everything is working you can set it to debug=false. Also, make sure
you use / (forward slash) instead of \ (backward slash) in the keytab path.

16. Create a Kerberos configuration file with Notepad and save it as krb5.ini to C:\Windows
of the server. Here's my example of what the krb5.ini file should look like:

[libdefaults]
default_realm = TEST.COM
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
TEST.COM = {
kdc = ad1.test.com
admin_server = ad1.test.com
default_domain = test.com
}
[domain_realms]
domain.com = TEST.COM
.domain.com = TEST.COM

Jonathan Murch
jonathansmurch@gmail.com Page 5
 Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

17. I choose to install Google Chrome to access the Openfire administrator console, I used
the offline installer available from here:
http://www.google.com/chrome/eula.html?system=true&standalone=1

18. Open the Openfire administrator console, for me this was: http://10.0.0.2:9090 and
complete the setup. The screenshots below represent my configuration.

Jonathan Murch
jonathansmurch@gmail.com Page 6
 Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

Jonathan Murch
jonathansmurch@gmail.com Page 7
 Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

19. Login to the Openfire admin console and enable GSSAPI by adding and saving the
following properties on the System Properties section, be sure to replace my realm with
your own:
Property Name Property Value
authorization.classList org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy
sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf
sasl.gssapi.debug true or false
sasl.gssapi.useSubjectCredsOnly False
sasl.mechs GSSAPI
sasl.realm TEST.COM
xmpp.fqdn app1.test.com

20. Restart the Openfire service for the changes to apply, and check the configuration is
reflected in the System Properties section on the Openfire administration console.

21. Reboot the server for the changes to take effect (Step 12 – registry change).

Jonathan Murch
jonathansmurch@gmail.com Page 8
 Openfire XMPP Server on Windows Server 2012 R2 with Spark SSO

Windows 7 x64 SP1 and Spark Client Configuration

Log on to the Windows 7 client with a domain Administrator account.

22. Add to the registry the following key, this change allows java to access the windows
Kerberos ticket cache:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

23. Copy the krb5.ini we created in Step 15 from the Openfire application server C:\Windows
to the Windows 7 client C:\Windows
24. Install Spark 2.7.3 from spark_2_7_3.exe accepting all defaults.
25. Restart the Windows 7 client for the changes to take effect.
26. Login to the Windows 7 client with the domain user account created in step 3.
27. Open the Spark IM Client and select the Advanced button, SSO tab, and tick to select
Use Single Sign-On (SSO) via GSSAPI and OK.
28. Select Login

That’s its folks, 28 steps to single sign on with Openfire and Spark IM in a Windows Active
Directory 2012 R2 domain.

For more lab guides, tips and tricks keep an eye out or drop me an email.

Openfire and Spark should only be used in an enterprise/corporate environment where SSO is configured and
working. This is due to a vulnerability that gives Spark IM clients the ability to save the users active directory
password if not using SSO. Although the password is saved encrypted within the user’s profile, the key is
publically available and is the same for each deployment. This is a security risk to be aware of.

Jonathan Murch
jonathansmurch@gmail.com Page 9