SSO for Openfire 3.8.1 on Debian 7.0 “Wheezy” x64 + Spark 2.6.3 + AD W2k8 (not R2)

Hi all!

I solved SSO trouble after some days hard work.



Openfire 3.8.1 on Debian 7.0 “Wheezy” x64 with MySQL.

Openfire server name: openfireserver

AD Server – Windows 2008 Standard (Kerberos crypting RC4-HMAC-NT by default)

Domen: realm.local

Workstations Windows XP Pro and Windows 7 Pro x32/x64.

Jabber-client Spark 2.6.3


Intallation steps (MySQL, Samba, Sun Java already installed):

1) Logging as root.


2) Some checks:

# cat /etc/issue

Debian GNU/Linux 7.0 \n \l


# smbd -V

Version 3.6.6


# mysql -V

mysql  Ver 14.14 Distrib 5.5.31, for debian-linux-gnu (x86_64) using readline 6.2


# java -version

java version “1.7.0_21”

Java(TM) SE Runtime Environment (build 1.7.0_21-b11)

Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)


3) Create database “openfire” and MySQL user “openfire”:

# mysql -p

Enter password: type_mysql_root_pass

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 49

Server version: 5.5.31-0+wheezy1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective


Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.


mysql> CREATE DATABASE openfire;

Query OK, 1 row affected (0.00 sec)


mysql> GRANT ALL PRIVILEGES ON openfire.* TO ‘openfire’@’localhost’ IDENTIFIED BY ‘PasswordGoldFish’ WITH GRANT OPTION;

Query OK, 0 rows affected (0.00 sec)



Query OK, 0 rows affected (0.00 sec)


mysql> exit



4) Download and install Openfire server.

# cd /tmp

# wget ll.deb

100%[==================================>] 12 838 026  2,92M/s   за 7,6s

2013-05-28 12:58:04 (1,62 MB/s) – «downloadServlet?filename=openfire%2Fopenfire_3.8.1_all.deb» saved [12838026/12838026]

/tmp# cp downloadServlet\?filename\=openfire%2Fopenfire_3.8.1_all.deb openfire_3.8.1_all.deb

/tmp# rm downloadServlet\?filename\=openfire%2Fopenfire_3.8.1_all.deb

/tmp# dpkg -i openfire_3.8.1_all.deb

Warning: /var/lib/openfire

Starting openfire: openfire

# /etc/init.d/openfire stop

Stopping openfire: openfire.

Change owner:

# chown -R openfire:openfire /var/lib/openfire

# /etc/init.d/openfire start

Starting openfire: openfire.


5) Going into browser (f.e. Mozilla Firefox):


Choose language (default English)


Type domain name: openfireserver.realm.local


Choose “Standard Database Conncection”

Pick preset MySQL

Correct [hostname] on localhost and [database-name] on openfire

Type Username: openfire

Type Password: PasswordGoldFish

Press “Continue”


Profile, Step 1:

Choose “Directory Server (LDAP)”

Select Server Type: Active Directory

Type Host: realm.local

Type Base DN: ou=Jabber,ou=Company_Users,dc=realm,dc=local

Type Administrator DN: cn=LDAP,cn=Users,dc=realm,dc=local

Type Password: Password_LDAP

For this step i create in AD user with name LDAP, and infinity password: Password_LDAP


Steps 2&3 saving without changes.


Add Administrator account, it’s any account in Base DN.

Type administrator login and press add.

If all successfully, then press “Continue”.


Openfire Setup Complete, login to Openfire Admin Console as administrator.

After it going to User section and see all accounts of Base DN.


All fine and all users from Base DN can use it, but my goal SSO with AD accounts (main problem – locking user’s accounts by Spark after password changes).


6) Settings for Samba:

# nano /etc/samba/smb.conf


workgroup = REALM


security = ADS

encrypt passwords = true

dns proxy = no

socket options = TCP_NODELAY

kerberos method = secrets and keytab

winbind refresh tickets = yes

password server = realm.local

domain master = no

local master = no

preferred master = no

os level = 0

domain logons = no

load printers = no

show add printer wizard = no

printcap name = /dev/null

disable spoolss = yes


7) Setting for Kerberos:

# nano /etc/krb5.conf


default_realm = REALM.LOCAL

kdc_timesync = 1

forwardable = true

proxiable = true

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5



kdc = realm.local

admin_server = realm.local

default_domain = REALM.LOCAL



.realm.local = REALM.LOCAL

realm.local = REALM.LOCAL


8) Restart Samba

# /etc/init.d/samba restart


9) Join Debian server to AD:

# net ads join -U DomainAdminAccount -D REALM.LOCAL


# net rpc join -U DomainAdminAccount


10) Join check:

# net ads testjoin

Join is OK

# net rpc testjoin

Join to ‘REALM’ is OK


11) DNS check:

# nslookup

> openfireserver



Name:   openfireserver.realm.local




Address:       name = openfireserver.realm.local.

> exit


Next five steps executing on PDC Windows Server 2008.


12) Create user account xmpp-openfire with infinite password and “Do not require Kerberos preauthentication” option enabled.


13) Create SPN and link with account xmpp-openfire:

Running command prompt as Administrator.

>setspn -A xmpp/openfireserver.realm.local@REALM.LOCAL xmpp-openfire

>ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL


14) If you will use JRE6 for creating/checking keytab, you need create on PDC file C:\Windows\krb5.ini with content:


default_realm = REALM.LOCAL



kdc = realm.local

admin_server = realm.local

default_domain = REALM.LOCAL



.realm.local = REALM.LOCAL

realm.local = REALM.LOCAL


15) Create keytab-file (need preinstalled JRE6):

cd C:\Program Files (x86)\Java\jre6\bin>

C:\Program Files (x86)\Java\jre6\bin>ktab -k xmpp.keytab -a xmpp/openfireserver.realm.local@REALM.LOCAL

or without JRE:

>ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab


16) Check created keytab-file (need preinstalled JRE6):

C:\Program Files (x86)\Java\jre6\bin>kinit -k -t xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL


17) Place checked xmpp.keytab file on Openfire server to /usr/share/openfire/resources

Changing owner:

# chown openfire:openfire xmpp.keytab


18) Check copied xmpp.keytab file on Openfire server

# kinit -V -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL


19) Creating file \etc\openfire\gss.conf with content: {












20) Then change/add to system properties in Openfire Admin Console this keys:

sasl.gssapi.config /etc/openfire/gss.conf

sasl.gssapi.debug false

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm REALM.LOCAL

xmpp.fqdn openfireserver.realm.local


21) Restart Openfire

# /etc/init.d/openfire restart


22) Installing on Windows workstation Spark 2.6.3 with JRE.


23) Change registry:


(For XP: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos)

Add key AllowTGTSessionKey, type DWORD, value 1


24) Place to C:\Windows file kbd5.ini with content:


default_realm = REALM.LOCAL

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac



kdc = realm.local

admin_server = realm.local

default_domain = REALM.LOCAL



.realm.local = REALM.LOCAL

realm.local = REALM.LOCAL


25) Reboot workstation.


26) In Spark choose “Use Single Sign-On (SSO) via GSSAPI”, type openfireserver into server and login.


On XP all fine, but on W7 SSO in Spark works only with run as Administrator account.


If i find solve for this problem, to be continued…



The reason why Spark SSO doesn’t work on Windows 7 without elevated privileges it’s because of UAC.


If the user has limited privilegues, it works fine.


But if the user is a local admin, you need to either elevate always, or deactivate UAC.


Also, you can run Spark as a programmed task with elevated privilegues to sidestep UAC.