powered by Jive Software

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2


#1

How to Setup Openfire SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

  1. Verified DNS - Must have PTR record for openfire server or SSO will not work.

  2. Create a user account that will be used for the keytab. I used “keytab” in this example. Under account properties, check “This Account Supports Kerberos AES 128 bit encryption”

  3. On the domain controller set spn to username ‘keytab’ and other mappings.

Note: The spn should match what you are using for xmpp.domain. ie xmpp/xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local

*case sensitive

setspn -S xmpp/lab2.lab.local@LAB.LOCAL keytab

  1. Next use ktpass to set additional information and create keytab file

Note: The -princ should match what you are using for xmpp.domain. ie -princ xmpp/xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local

*case sensitive

ktpass -princ xmpp/lab2.lab.local@LAB.LOCAL -mapuser keytab@lab.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab (enter same password that you used when you created the keytab user account)

  1. On the server running openfire

create krb5.ini and place c:\windows

set the following key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

allowtgtsessionkey reg-dword value 1

  1. Copy your keytab created in step 4 (xmpp.keytab) file to openfire/resources

  2. Copy/create your gss.conf file in openfire/conf

  3. Add the follwing to system properties in openfire

sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf

sasl.gssapi.debug false

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm LAB.LOCAL

restart openfire service

  1. Install spark on a workstation.

On workstations make the following registry change

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

reg dword allowtgtsessionkey value 1

10 copy krb5.ini in c:\windows

  1. Launch spark and test

How To: Video on setting up SSO/AD with Openfire
#2

#3

That’s a great walk through, but I’ve yet to get this to work.
I noted that I have to run spark as admin to get a principal to be visible to Sparks SSO (DNS does find the sso info properly in this configuration), but it fails even then.

[Unable to connect Please check your principal and server settings]

I know in another thread you mentioned that it was always a disconnect between the principal and they keytab. I have googled this repeatedly, but can you give any insight into the components involved with the keytab - the DNS entries and the spn stuff?

If you have that kind of time to explain this to some guy out on the internet I’d be more than grateful.


#4

Please make sure that you can sign in without sso first. There is a bug that spark will give the wrong error on signon when using sso if it can’t validate the certificate from the server.