Bug: when using SSO, Openfire requires a UPN in addition to an SPN

When setting up Single Sign On via GSSAPI in Openfire, I found that Openfire requires a User Principal Name on the KDC rather than just a Service Principal name. It should only require a Service Principal Name.

This can happen when using Samba’s ‘net ads keytab add’ command, without the ‘createupn’ parameter added in samba 3.0.23

I suspect this is a problem with Java itself, but an issue (JM-1191) has been opened for it in the event we can fix it.