When setting up Single Sign On via GSSAPI in Openfire, I found that Openfire requires a User Principal Name on the KDC rather than just a Service Principal name. It should only require a Service Principal Name.
This can happen when using Samba’s ‘net ads keytab add’ command, without the ‘createupn’ parameter added in samba 3.0.23