Kerberos SSO: when DC and Openfire Server is the same computer == problems


Openfire server (3.6.3) was installed on domain controller.

DC OS - W2k3. This DC has two records in DNS: A-record, and CNAME for this domain controller.

I have tried to configure OF server, for use kerberos SSO, as is written in a manual, on this site, but kerberos SSO login don’t work (client - Spark).

OK, i install OF server on VirtualPC (WinXPPro), and configure it. And Kerberos SSO work very good on this “virtual server”!

Why the kerberos SSO don’t work, when OF server was install on domain controller?


I’m using Openfire on a DC (Windows 2008 and Windows 2008 R2) in development environments and for testing.

I can connect fine with Pandion.

You may want to download Microsoft Network Monitor and analyze the Kerberos authentication traffic for any errors that may lead you to a solution.


It used windows NTLM autentification. Or not?

I can connect with pandion to my OF server, installed on DC, too.

I try to use network monitor, for analyze traffic, but it is very difficult for me…


It will negotiate the authentication package. You can see it in the source here: . You can see that in some portions of the code, Kerberos is explicitly specified:

If you want to confirm, you can clear the security event logs on the server and watch for logons to confirm if Kerberos is being used.