powered by Jive Software

Can I use SSO and Federation (also, ".local?")

For starters - I have a working OpenFire with Active-directory tied SSO (Running on Windows Server 2008 R2) that I’ve “inhereted.” Single Sign On works fine.

However, the ‘Server Name’ is “server02,” and the Active Directory domain is “customername.local”

I’d like to know if it’s possible for me to continue to use SSO (against the Active Directory customername.local) and enable Federation?

As it stands, federation doesn’t make ‘logical’ sense as the XMPP domain is “server02.”

I do control the internal (and external, customername.com) DNS, so I can create the SRV records and such, but my understanding is that as long as the XMPP “Server Name” in openfire is set up as “App02” this won’t work.

So - what do I need to do, to get federation working? Is it possible to have a setup configured inside an AD domain of “customername.local” with a proper FQDN of “customername.com” for the server name? etc?

short answer is yes…but it will take a little work. I would do this afterhours because SSO can be a pain, and you’ll run the risk of breaking SSO!

set up dns ( i recommend a split dns setup to avoid hairpinning/nat issues for internal users)

add new admin jid using @customername.com

rename your xmpp domain to what you want it to be. customername.com

next deleted the old ssl cert and recreate them within the system admin page.

remove the old spn from the account used for kerberos

created new spn mappings using customername.com

recreated keytab file

update the gss.conf file to reflect the new principal

restart openfire and cross your fingers!

I’m heading out now. Let me know if you need more detail instruction, and I’ll try to get something together for you.