powered by Jive Software

SSO issue in remote branches connected to HQ using Site-to-Site VPN IPSec Tunnels


We are using in our H.Q. Openfire 3.9.3 running on Win2008 Std.

and the latest Spark clinet 2.7.0 Build 665 running in XP, 7, 8 & Windows 8.1

all our remote branches are connected to H.Q. using Site-to-Site VPN IPSec Tunnels

recently I have followed this document to setup SSO https://community.igniterealtime.org/docs/DOC-2706

SSO is working just fine in all workstations located in the Head Office

but have not been able to get it to work in the remote branches.

after week investigating this issue wireshark showing that our users in remote branches have problems to get kerberos tickets

Kerberos TGS-REQ sending message to the KDC server using udp protocol

the solution was is to force Kerberos to use TCP instead of UDP in kerberos configuration file krb5.ini

by adding this line udp_preference_limit = 1

for mor information http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html

I hope that maybe this bost will help someone and save his time

Best Regards