I have found a slight variation required when following SSO Configuration. This is a very old topic created in 2007, so I have created a new one instead of replying to the original. In the section headed “The KDC is Active Directory”, I found the instruction to add the xmpp service principal did not result in a change to the local keytab, nor did I get an error message:
net ads keytab add xmpp
There appears to have been an account permission problem as the solution turned out to simply add a ‘-P’ parameter which the Samba net documentation states “Make queries to the external server using the local machine account”. Hence:
net ads keytab add xmpp -P
The documentation also omits the very important point that the files created for use by Openfire Server - xmpp.keytab and gss.conf both need to be owned by the openfire account.