Openfire SSO Ubuntu guide

Hi, community.
The guide below shows how to configure SSO Kerberos with Ubuntu Server 16.04 and 18.04.
Java version no higher than Java 8 update 221 and Java 11.0.4. in latest java versions my SSO doesn’t work

srvdca3.domain.local-------|AD DC + DNS|
srv-chat.domain.local-------|Openfire server 4.5.2|

  1. Create a domain user openfire *
    1.1.Set it: User cannot change password Password never expires ** Do not require Kerberos preauthentication *
    1.2 On any DC, open CMD under the admin and run this command.
setspn -A xmpp/srv-chat.domain.local@DOMAIN.LOCAL **openfire**

Where: srv-chat.domain.local - full name your server Ubuntu with Openfire, @DOMAIN.LOCAL - your domain, openfire - your domain user(step 1,with which authorization through Kerberos (SSO) will work)
1.3 in CMD run this command and save file openfire.keytab in drive C.

ktpass /princ xmpp/srv-chat.domain.local@DOMAIN.LOCAL /mapuser openfire@domain.local /pass * /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /out c:\openfire.keytab

Openfire user attributes will change

servicePrincipalName – xmpp/srv-chat.domain.local
userPrincipalName – xmpp/srv-chat.domain.local@DOMAIN.LOCAL

2.Preparing an Openfire Server
2.1 install Openfire server
2.2 Copy openfire.keytab(step 1.3) to /usr/share/openfire/resources/
2.3 Create the file /etc/openfire/gss.conf {

2.4 Create a Kerberos configuration file and save it as krb5.ini to /etc/krb5.conf

default_realm = DOMAIN.LOCAL
default_keytab_name = /usr/share/openfire/resources/openfire.keytab
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

kdc = srvdc3.domain.local
kdc = srvdca1.domain.local
admin_server = srvdc3.domain.local
default_domain = domain.local

[domain_realms] = DOMAIN.LOCAL = DOMAIN.LOCAL

To check the ticket, you can use the following commands:

kinit -V -k -t /usr/share/openfire/resources/openfire.keytab xmpp/srv-chat.domain.local@DOMAIN.LOCAL
 klist -ek  /usr/share/openfire/resources/openfire.keytab

3.Openfire Preparation
3.1 go to http://srv-chat.domain.local:9090
3.2. We write our domain controller and any domain user (without administrative rights, I have this user “testuser”)
–Server Settings
—Profile Settings
----LDAP Settings
Host:srvdca3.domain.local Port:389
Administrator DN: domain\testuser
3.3 Go to
–System Properties
and change this parametrs and save:

|Property Name|Property Value|

3.4 Reboot your Openfire service and reboot Ubuntu server.

4.Client Windows preparation(Spark 2.8.3)
4.1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

4.2 install Spark 2.8.3
4.3 Open Spark -> Advanced button -> SSO tab -> enable Use Single Sign-On (SSO) via GSSAPI
4.4 And write your server Openfire and click on “Logon”


What is these two servers??

I have two domain controllers, but only one can be specified.

kdc = srvdc3.domain.local
admin_server = srvdc3.domain.local
default_domain = domain.local

Do my chat server be logged in my AD??

Yes, you need to enter the Ubuntu server in the domain.

Ok, im trying installing java 8 221, but no success until now.

here is the Java I installed, and I turned off Java auto-update.
This java for ubuntu 16.04

dpkg -i openjdk-8-jre-headless_8u222-b10-1ubuntu1_16.04.1_amd64.deb

sudo apt-mark hold openjdk-8-jdk

openjdk-8-jre-headless_8u222-b10-1ubuntu1_16.04.1_amd64.deb (25.9 МБ)

So, in clients machine, windows 7 has to be outdated java??

No, you can install any version of Java on clients. for example, you can use Spark 2.8.3 with integrated Java. But on servers that would work SSO need to use Java no higher than version 8 update 221.

Ok, finished installation, but doenst work for me.

I’m getting this error, krb5-kdc.service: Can’t open PID file /var/run/

hmm, I don’t have Kerberos KDC Server on any of my ubuntu servers.
i think you need delete Kerberos KDC Server and install krb5-user.

And also you need to look in the admin panel Openfire if you have all authorization mechanisms (SASL) enabled

sudo apt-get install krb5-user


Removed the KDC Server, and put only kdcuser.
Also enabled alls SASL.

But still dont work.


To check whether GSSAPI(SSO) works or not, you need to enter the command in your Ubuntu server:
Point 2.4 from my guide

kinit -V -k -t /usr/share/openfire/resources/openfire.keytab xmpp/srv-chat.domain.local@DOMAIN.LOCAL

If everything works correctly, a record should appear:
Authenticated to Kerberos v5
Look at my two screenshots from two Openfire servers (First server on Ubuntu 16.04 and second server on Ubuntu 18.04)

Yeap, the same here. But Spark cant conect.

Spark config

Ok dude, its working on others SO like Windows Server and Windows 10 but, in windows 7 its not working.

My company uses only Windows 10, but we implemented SSO even when we had computers with Windows 7 and Windows 8.1.
Give me time, tomorrow I will install a virtual machine on Windows 7.
By the way, try putting the krb5.conf file in C: \ Windows and reboot computer .
And also make sure that every Windows client has this registry entry from point 4.1, it is very important :
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Lsa \ Kerberos \ Parameters

Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

hmm, I have SSO running on Windows 7.
And without the krb5.conf file.
I just added a reg entry from point 4.1
Do you use the latest version of Spark 2.8.3?


@ilyaHlevnoy great guide!

for addtional references

1 Like

Yes, im using the latest. I have already change the reg. I will try again.