Openfire SSO on Windows 2012 R2

I need some assistance. Been trying to enable SSO for my domain on openfire using kerberos. Have watched many videos and looked through forums but cannot get it to work. My actual domain is 51TAB.GTMY.PIL.COM. My openfire domain is a subdomain of that not external. It is CHAT.51TAB.GTMY.PIL.COM. What should I be using for the SPN and PRINC commands? I started with xmpp/chat.51tab.gtmy.pil.com@51TAB.GTMY.PIL.COM but when that didn’t work I tried many different variations. I keep getting a GSSAPI: Not authorized error on the client. I tried wireshark on client to but not too sure what to look for. I see the client user req and receives TGT, then it requests for xmpp server ticket from DC. It receives one. The only thing that looks weird to me is on name-type it says kRB5-UNKNOWN for the request and response of xmpp ticket.

Bah, finally got it working. Started from scratch in a lab environment. My issue was DNS related. Previously, I made a subdomain named CHAT which mapped to the IP of my xmpp server. On this subdomain I created the SRV records for _xmpp-client. However, after a week of 8hr+ days of failed attempts I decided to try something else. I deleted the subdomain ‘CHAT’ and just made a CNAME on my top domain called CHAT that pointed to my xmpp server’s A record, made the SRV records on my top domain that point to my CNAME. Then I followed @speedy s 27 min video. So not only does SSO actually work now, but clients and external servers will still use the same name to connect to me as I had intended (CHAT.51TAB.GTMY.PIL.COM). Phew… hope it helps somebody.

2 Likes