SSO: kdc_err_s_principal_unknown (7)

Hi,

what does this error mean? I can see this in Microsoft Network Monitor (Filter = KerberosV5), when I try to connect Spark with Openfire (SSO).


C:\Program Files (x86)\Openfire\jre\bin>setspn -L xmpp-openfire

Registrierte Dienstprinzipalnamen (SPN) für CN=xmpp-openfire,CN=Users,DC=domain,

DC=mirabyte,DC=com:

xmpp/mserver.domain.mirabyte.com

xmpp/mserver.domain.mirabyte.com@DOMAIN.MIRABYTE.COM

Keytab is alsow working:

gss.conf:

krb5.ini:

Openfire settings:

Openfire Debug Log:

Active Directory is also working and log in with Username + Password is also working. Only SSO is not working.

I also tried the latest JAVA version.

Any ideas?

Regards,

Sascha

It might be the same problem i had.

The solution was to add the spn without the @realm, like this:

setspn.exe -A xmpp/FQDN.SERVER.NAME xmpp-openfire

With that you should have two entries:

xmpp/FQDN.SERVER.NAME@DOMAIN

xmpp/FQDN.SERVER.NAME

Thanks! I already tried that without any success :frowning:

You did add the registry keys and the krb5.ini on the clients? If not SSO doesn’t work…

Yes, I set AllowTGTSessionKey and I also have both krb5.ini files (content of this file is posted in the first post)

Then i’ve run out of ideas

If it helps you, my xmpp.domain is set to the server alias (the name the clients connect to, something like im.domain.com), my xmpp.fqdn is set to the server real name, and i added in the DNS record on the DC the alias associated to the FQDN.

Also, kinit should ask you for the password you used to generate the keytab,and then return nothing at all. If it returns nothing, the keytab is fine. If it returns something, the keytab is wrong and you might need to recreate it. Also you might try to create the keytab with ktpass instead if nothing else works.