How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

speedy · April 16, 2013, 12:50am

How to Setup Openfire SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Verified DNS - Must have PTR record for openfire server or SSO will not work.
Create a user account that will be used for the keytab. I used “keytab” in this example. Under account properties, check “This Account Supports Kerberos AES 128 bit encryption”
On the domain controller set spn to username ‘keytab’ and other mappings.

Note: The spn should match what you are using for xmpp.domain. ie xmpp/xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local

*case sensitive

setspn -S xmpp/lab2.lab.local@LAB.LOCAL keytab

Next use ktpass to set additional information and create keytab file

Note: The -princ should match what you are using for xmpp.domain. ie -princ xmpp/xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local

*case sensitive

ktpass -princ xmpp/lab2.lab.local@LAB.LOCAL -mapuser keytab@lab.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab (enter same password that you used when you created the keytab user account)

On the server running openfire

create krb5.ini and place c:\windows

set the following key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

allowtgtsessionkey reg-dword value 1

Copy your keytab created in step 4 (xmpp.keytab) file to openfire/resources
Copy/create your gss.conf file in openfire/conf
Add the follwing to system properties in openfire

sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf

sasl.gssapi.debug false

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm LAB.LOCAL

restart openfire service

Install spark on a workstation.

On workstations make the following registry change

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

reg dword allowtgtsessionkey value 1

10 copy krb5.ini in c:\windows

Launch spark and test

speedy · October 22, 2017, 6:27pm

jacob8 · January 30, 2018, 7:44am

That’s a great walk through, but I’ve yet to get this to work.
I noted that I have to run spark as admin to get a principal to be visible to Sparks SSO (DNS does find the sso info properly in this configuration), but it fails even then.

[Unable to connect Please check your principal and server settings]

I know in another thread you mentioned that it was always a disconnect between the principal and they keytab. I have googled this repeatedly, but can you give any insight into the components involved with the keytab - the DNS entries and the spn stuff?

If you have that kind of time to explain this to some guy out on the internet I’d be more than grateful.

speedy · January 30, 2018, 2:05pm

Please make sure that you can sign in without sso first. There is a bug that spark will give the wrong error on signon when using sso if it can’t validate the certificate from the server.

SteveO · May 31, 2019, 9:21am

I’ve got it!
The reason was just firewall. Port 5222 was unavailable, so I fix it, and it works!

wroot · May 31, 2019, 10:49am

You should post this in your thread and mark it as resolved then

mjaramillom · August 9, 2023, 7:33pm

Consulta actualmente que version usas que ya te esta funcionando la SSO con active directory eh intentado de varias formas y ninguna funciona.