powered by Jive Software

SSO: Cannot get kdc for realm

Like alot of people here I’m tring to get SSO to work.

Background information:

2003 domain controler: omnidc08

Domain: corp.omniamerican.org

2008r2 x64 Openfire Server: wso-chat-01

XPsp3 Client using spark

service users are domain admins: srv_OMNICHAT_LDAP & srv_OMNICHAT_KEYTAB

install directory: c:\Program Files (x86)\Openfire

however I also made a c:\Program Files\openfire\conf directory with gss.conf and openfire.xml

These are the commands I ran in the Domain controler:



Registering ServicePrincipalNames for CN=srv_OMNICHAT_keytab,OU=Service Accounts

,OU=Information Technology,OU=Back Office,DC=corp,DC=omniamerican,DC=org


Updated object


mapuser srv_omnichat_keytab@CORP.OMNIAMERICAN.ORG -pass * -ptype KRB5_NT_PRINCIP


Targeting domain controller: OMNIDC08.corp.omniamerican.org

Using legacy password setting method

Successfully mapped xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG to srv_OMNICHAT_keyta


Type the password for xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG:

Type the password again to confirm:

Key created.

On my openfire server(wso-chat-01), I can run a clean:

kinit -k -t jabber.keypab xmpp/wso-chat-01.corp.omniamerican.org@CORP.OMNIAMERICAN.ORG P@ssWord123

attached are my configuration docs

I’ve also added the krb5.ini files to both the openfire server and workstation in the c:\windows directory

and the regestry entry for allowtgtsessionkey = 1 in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ and HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\

on the xp workstation and just


on the wso-chat-01 server

and have rebooted both many times.

log on my openfire screen:

Openfire 3.8.2 [Feb 24, 2014 3:11:12 PM]

Admin console listening at:



Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files (x86)/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG@CORP.OMNIAMERICAN.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal’s key obtained from the keytab

Acquire TGT using AS Exchange

[Krb5LoginModule] authentication failed

Cannot get kdc for realm CORP.OMNIAMERICAN.ORG

and LDAP is working, I can sign in with my windows username and password. but I cannot get SSO to work, the client does so my username@corp.omniamerican.org

openfire server is being “RUN AS” administrator

**[PLEASE NOTE: only PASSWORDS have been changed in the config files and above documentation]

see if this helps.