Hello, first, english isnt my native tong so there be mistakes and misspeling.
i had worked sso on ad domain 2012r2 lvl (forest level too) with openfire 3.8.3 and spark 2.7.0. Some time ago i rename domain (example.local to example.com). I did it from my workstation running on win8.1. After rename i was unnable to get new domain from my workstation so i rejoin workstation. Next step i setup ad CA with 8K bit key, setup auto enrollment with edsca521/sha512, setup new openfire 4.1.1(not update, only new installation), renew krb5.ini, spn, keytab file. I successfully log in spark 2.8.3 on my workstation using SSO. All of rest workstations cannot log in nether SSO nor password. Openfire`s log had similar strokes like below:
2017.02.02 23:28:49 org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to exception in session: (0x00000003: nio socket, server, /192.168.174.50:49496 => 0.0.0.0/0.0.0.0:5222)
I decide that there is some problem in kerberos ticket but it wasnt. Anyone user`s account can perform SSO only on my workstation. I rejoined a few more workstaion but it didnt resolve that.
All of my workstation running on win81 or w2k12r2. Can there be root of evil in strong cryptography across all domain?