Help needed: Openfire SSO in Active Directory forest with multiple domains

Does anyone know how to coinfigure SSO in a multi-domain AD environment, using the Global Catalog?

I ran through the configuration process, using port 3268 (Global Catalog) instead of 389 (LDAP). Connectivity and authentication works fine and allows users from multiple domains to authenticate. I then configured the Kerberos SSO by creating the XMPP user in the Root domain. The results are mixed. Users from the Root domain are able to login using SSO but users from any of the sub (child) domains cannot. I tried defining the multiple domaind in the krb5.ini sections as shown below, but that did not seem to help.



kdc = imsdc03.zevel.corp

admin_server = imsdc03.zevel.corp

default_domain = zevel.corp



kdc = imsdc04.auburnhills.zevel.corp

admin_server = imsdc04.auburnhills.zevel.corp

default_domain = auburnhills.zevel.corp



zevel.corp = ZEVEL.CORP

.zevel.corp = ZEVEL.CORP

auburnhills.zevel.corp = AUBURNHILLS.ZEVEL.CORP

.auburnhills.zevel.corp = AUBURNHILLS.ZEVEL.CORP

Any ideas / help would be appreciated.


I think you have to create a keytab file for each domain, then merge the keytabs into a single keytab file.

That sounds like a great idea, and possibly on the right track. So, I started looking into it. There’s a lot of information out there about using ktutil to merge KEYTAB files, (e.g., unfortunately, that tool isn’t available on my Windows Support Tools distribution (Windows 2003).

Anyone have ideas how to merge keytabs in Windows 2003? Is there an equivalent to kutil on the Windows side?


I don’t think there is a windows equivalent. It might be faster to load up a linux install into a virtual machine and use kutil