So, it’s actually not that hard to get this to work. You need to create three new Java files, one for each of the following:

• One that implements AdminProvider.java (if you want to pull admins from the IIS database)
• One that implements UserProvider.java (to list all/active users from IIS)
• One that implements AuthProvider.java (to actually do the authentication)

Implementing the admin provdier and the user provider is straightfoward, just follow the JDBC examples that are provided. One thing to note is that the IIS databse is keyed off of some GUID, and the actual user account fields (E-mail, name, etc) are in a different table, so you have to do a query to figure out the IIS ID, then use that to figure out the rest of the account fields, ie.

SELECT TOP 1 UserId FROM dbo.aspnet_Users WHERE LoweredUserName = ?

Then to get the E-mail (after you have the IIS ID)

SELECT TOP 1 Email FROM dbo.aspnet_Membership WHERE UserId = ?

Doing the actual authentication is very easy, just take the username given to you by openfire, clean it up (it’s sometimes user@host — the @host part is not really part of the username) and figure out the IIS ID based on the username you’re given.

Then you can do a query to figure out the password & password hash

SELECT TOP 1 Password, PasswordSalt FROM dbo.aspnet_Membership WHERE UserId = ?

With that you have all you need to encrypt the password that’s given to you — here’s the algorithm:

Note — all of the utils are included with OpenFire (ie. decodeHex(...), Base64...)

private static String encryptPassword(String password, String salt)
{
    if(password == null || salt == null)
        return "";

    try
    {
        byte[] bytes = password.getBytes("UTF-16LE");
        byte[] src = Base64.decode(salt);
        byte[] dst = new byte[src.length + bytes.length];

        System.arraycopy(src, 0, dst, 0, src.length);
        System.arraycopy(bytes, 0, dst, src.length, bytes.length);

        // Calculate the SHA1
        byte[] hashed = StringUtils.decodeHex(StringUtils.hash(dst, "SHA-1"));
        return Base64.encodeBytes(hashed);
    } 
    catch (UnsupportedEncodingException e)
    {
        Log.error("UTF-16LE encoding not suported");
    }

    return "";
}

Just compare the result of this function with the IIS database’s password field and you’ll be off and running.

Another thing to note with the Admin provider: the AdminManager that openfire uses caches the results. It looks like the results get cached when the system starts — so it’s not really possible to keep the list of admins in sync with IIS. I’m still mulling over that one to figure out what the best approach will be. I might just remove the caching all together (AdminManager just holds a list of admins in memory.)

Once you get everything setup, just change a few properties in the config for openfire to connect it to your solution, ex.

provider.admin.className --> org.jivesoftware.openfire.admin.IISAdminProvider
provider.auth.className --> org.jivesoftware.openfire.auth.IISAuthProvider
provider.user.className --> org.jivesoftware.openfire.user.IISUserProvider

I added a few more properties for the IIS database username/password as well as some variables for what the name of my admin group is, etc. Just follow the JDBC examples and it’s very easy. Note that after you change the provider.* properties in the openfire config you won’t be able to login with the default admin anymore — if something is messed up you’ll have to go back into the database and change the config (in the dbo.ofProperty table of your openfire DB.)