How To: Enable Jitsi Server Authentication

In my previous blog post HERE, we set up a Jitsi server on Vultr from start to finish. This post is going to build on that previous post and add some basic authentication to the server.

At the end of the last post, our server had no authentication – anyone who knows the URL can connect and start a video conferencing session.

Now we’re going to set up Jitsi so that you have to have a username and password to start a Jitsi conference – but you can then share that link with anyone, and all other attendees can join anonymously. This is the best way to run Jitsi – you know that your server won’t be running unauthorized video conferencing sessions, but you can still invite whomever you want, and your invitees don’t have to have an account on your Jitsi server (though you should still password protect your video conferences).

Before we get started, if you find this guide helpful, you can always:

PRO TIP: If you are following along with this post after you already set up Jitsi from my previous post, I would recommend taking a snapshot of your Vultr or Digital Ocean server at this point. That way, if you mess up your server going through these next steps, you can revert to the snapshot and not have to start the entire project over from scratch!

Prosody is the name of the Jitsi component that handles authentication. The first thing we need to do is enable authentication on our main domain – for our example, our main domain was jitsi.crosstalksolutions.com. These changes have to be made in the /etc/prosody/conf.avail/[your-hostname].cfg.lua file. So, for our example, we want to edit:

sudo nano -w /etc/prosody/conf.avail/jitsi.crosstalksolutions.com.cfg.lua

Find the line that says ‘VirtualHost “[your-hostname].” Underneath that line you’ll see another line that says:

authentication = "anonymous"

Change that line to:

authentication = "internal_plain"

This disables the anonymous authentication for the ‘main’ server host URL – however, we also need to create a new virtual host for our anonymous guests in order to facilitate their anonymous connections. Scroll to the bottom of the file and add these lines to create the new virtual host with the anonymous login method (use your own FQDN):

VirtualHost "guest.jitsi.crosstalksolutions.com"
    authentication = "anonymous"
    c2s_require_encryption = false

*** NOTE: The VirtualHost that we just created – guest.jitsi.crosstalksolutions.com – is only used for Jitsi internally – there is no need to create a separate DNS A record for that FQDN.

CTRL+X followed by Y+ENTER to save and exit.

Next we need to configure our newly created VirtualHost / anonymous domain in our config.js file:

sudo nano -w /etc/jitsi/meet/jitsi.crosstalksolutions.com-config.js

Under the ‘var config = [‘ section (right near the top of the file), you should already see a line that says domain: ‘jitsi.crosstalksolutions.com’, (it’ll say your FQDN, not mine). Just below that line, after the comment, you should see a line that is commented out that starts with ‘anonymousdomain.’ Uncomment that line and add your FQDN with a ‘guest.’ in front of it like this:

anonymousdomain: 'guest.jitsi.crosstalksolutions.com',

CTRL+X followed by Y+ENTER to save and exit.

Next, we need to tell the Jicofo service to only allow requests from our ‘authenticated’ domain.

sudo nano -w /etc/jitsi/jicofo/sip-communicator.properties

Add a new line at the bottom of this file:

org.jitsi.jicofo.auth.URL=XMPP:jitsi.crosstalksolutions.com

Again, substitute your own FQDN for jitsi.crosstalksolutions.com.

CTRL+X followed by Y+ENTER to save and exit.

Now let’s restart our Jitsi services:

sudo systemctl restart prosody
sudo systemctl restart jicofo
sudo systemctl restart jitsi-videobridge2

OK – this is great…we now have authentication…but we’re forgetting something – users!

To add users who can create video conferences in Jitsi, run the following command:

prosodyctl register <username> jitsi.crosstalksolutions.com <password>

So – to create user ‘john’ with password ‘12345’ you would run:

sudo prosodyctl register john jitsi.crosstalksolutions.com 12345

Use your own FQDN instead of jitsi.crosstalksolutions.com, and also use nice STRONG passwords for your users.

That’s it! Now to test it out – if you log onto your Jitsi server – https://jitsi.crosstalksolutions.com and start a new meeting, you will told that the conference is waiting for the host – and you have a button to indicate that YOU are the host – click that button.

When prompted, enter in the username and password that you created with the prosodyctl command.

*** NOTE: If you created user ‘john’ your username here can be either ‘john’ or ‘john@jitsi.crosstalksolutions.com’ – either one will work fine.

Your video conference has now started! At this point, you can share your video conference link with other folks (recommended to add a password to your conference) and then they can join up without having to have a Prosody user created for them.

Click the ‘i’ in the bottom-right hand corner to set a conference password and to copy the link that you can share to other attendees.

If you enjoyed this post you can always:

Comments 41

  1. I have used your instructions today and they worked like a charm. Thank you so much for this tutorial. God bless.

  2. Hello, Chris.
    I’ve learned so much from your videos and blog and would love to buy you a beer.
    Unfortunately the link on your website does not work.
    Many greetings,
    Michael

    1. Post
      Author
  3. Chris,

    Your videos have been a huge help for quite some time.

    One little comment. It might be beneficial to call out in your blog post how one would remove a user who can create video conferences in Jitsi

    -Jordan

  4. Hi Chris,

    thanks for your perfect guides how to install jisti meet server and implement authentification.

    Another guide would be very interesting:

    Howto allow guests to join conference by telefon using a dail-in phone number.

    Maybe you are interested in creating one 😉

    Many greetings from Germany
    Makrus

  5. Like always, I love your tutorial!

    Installed two instances one open and one with authentication.
    Both running on hypervisor behind Nat and dynamic IP’s…

    They both work great…

    Has anyone been able to setup sip support?

    Excuse me I’m french!🙄😉

  6. Great tutorials and step by step guides. I followed your instructions to set up a Jitsi server and then added hosting authentication without any problem. And that’s from someone who has zero knowledge / experience in Linux.!

    One quick question, it seems to me once I have hosted a meeting once (with proper authentication). All subsequent hostings did not ask for authentication even though I have turned off password saving in Chrome.

    The only way the server would ask for authentication everytime is to use Incognito mode in Chrome.

    Is there anyway to force Chrome in normal mode to ask for authentication everytime?

    Thanks a lot.

  7. so so appreciative of these guides! I’m running into a problem. As soon as I add:
    anonymousdomain:
    (regardless of what follows) it opens up everything. I’m wondering if it is in fact a DNS or hostname issue?

  8. Great video and notes. I tried it today but it’s not working. I “think” I tried all steps correctly. Did it a 2nd time. Same result. When I put it back I go a weird thing . .asking for credentials. Now it’s supposed to be enabled but no security is happening. Any suggestions?

  9. Hello Chris,

    For your information, I think there is a typo in your guide. In “Under the ‘var config = [‘ section (right near the top of the file)”, “[” should be replaced by a “{“.

    Have a good one

  10. Thanks Chris! I appreciate the work you put into tutorials for the community.

    Would love to see a guide on connecting FreePBX to Jitsi for dial-in option.

  11. Hi, Chris. I installed jitsi meet per your instructions, except for my Ubuntu being 18.04

    I followed through with this blog post for authentication, and that mostly works, but fails on several one or two major issues (the two may be related):

    My install silently fails to include more than 2 participants (no explicit errors are raised to end user). Strangely, during my recent test-run, it was the host and creator of a room who was excluded from the screen. The host could to see themselves as the only participant showing, on their own screen. The two guests who connected after the room was created were able to see each other (though not without tab crashes and other glitches), but were not able to see the host/creator.

    The host/creator shared an external IP with the one of the guests. If that may be a factor.

    There is a lot of talk about fixing this on the community forum:

    https://community.jitsi.org/t/not-working-for-more-than-2-people-in-the-room/18821/60

    A lot of suggestions to tweak the firewall rules, on the above

    However, in my case, I tried to run it with NO firewall rules at all, with all ports open, just to test and get things working (intend to lock that down). So, my logic tells me the issue is elsewhere.

    Perhaps you could review the community posts and triangulate the issue, and perhaps give us the nutshell version of the fix here?

    thanks for your blogs. You do deserve the beer donations; i will follow up on that.

  12. Hello,
    Thanks for the tutorial .
    Set up is done and authentication works well at the start but after some tests the authentication does not work.
    Note: I made changes to the presentation on the css side (change of logo, etc.)
    Thanks in advance

  13. Hello, You are doing great work. Currently, I followed all the steps you mentioned. All configurations seem good but the login option does not popups

  14. Any chance you would like to make a video or blog about how to enable Google Calendar integration for a Jitsi Server? One for people who have never set up a Google API client? The instructions found in the Jitsi github are assume a lot for us newbies.

  15. Hello Chris
    Wonderful article . I was able to spin my ec2 t2 micro instance with 20GB ssd , within an hour following your tutorials. A test 3 party conference was a good experience
    Few questions
    – is it allowed to use Jitsi for commercial purposes ..say someone wants to sell this product to couple of schools with number of hosting accounts ? What are the licensing agreements to follow with jitsi ?
    – in your experience what is the right instance type + memory required …say to offer it to a school where there could be hundreds of students are expected to join ?
    – if I place more than one ec2 instance behind a load balancer in aws, will it work ?
    – are the sessions sticky ( guess so..)?
    Please advise
    Sandeep , India

  16. hello, on execute command for restart prosody … system return:

    “Failed to add /run/systemd/ask-password to directory”

  17. Everything is fine but its not working in mobile. People can join from Desktop or Laptop but not from Mobile. I installed in Ubuntu Desktop 20 with Letsencrypt. I really appreciate if you please help me regarding this issue.

  18. hi, install module jigasi authenticate user and password on asterisk. but in web jisti not button for invite call.

    you example install and configure is module jigase. thansk

    1. I am having a similar issue.
      After adding authentication, I am no longer able to hear audio, or see video from guests. Everyone can connect, text chat, and raise hand work find. I have not been able to find a single fix for this anywhere. Any suggestions?

  19. Thanks for the well written and concise guide to authenticating in jitsi.
    It worked well for me with jitsi on Debian9, much appreciated!

  20. Hi there,
    excellent tutorial, all works fine the one way or the other… however, I need both.
    I set up a Jitsi-Server, it works well with authentication = “internal_plain” and user /pwd. However, I also want to give access to my server for my students within a moodle-installation. This also works fine when setting authentication = “token”, setting token and secret and putting them into the moodle-plugin.
    But… It would be marvelous to have both ways. How can I do that?
    Regards
    Christof

  21. Somehow my question got lost…
    First of all thanks for that nice how-to, it helped a lot.
    My final problem is as follows: I would like to provide my Jitsi installation in Moodle. For that I have to set “authentication = “token””. However, I would appreciate the service to be also still available using user/pwd. Then “authentication = “internal_plain”” (or hash) is needed. How can I have both? I would be happy for any helpful hint.
    Regards
    Christof

  22. Love your videos, I followed the instructions watched the video a couple of times, even made a notepad to edit all commands before pasting them into the server.

    looks all well and good, but when I create a conference I get the username and password prompt, but it tells me that its not the correct username and password combo. I am at a loss as to where i can verify this informaiton.

  23. I follow along perfectly with your tutorial and this helps more than any other that I have found! 🙂

    My problem is that (with Jitsi already installed on my server), the “/etc/prosody/conf.avail/xxxx.xxxx.xxx.cfg.lua” file is not present.

    I found the example file, do I just copy that over? (I am just concerned because I see that your file has different settings than what is in the “example” file that is present.

Leave a Reply to Sandeep Cancel reply

Your email address will not be published. Required fields are marked *