We are using in our H.Q. Openfire 3.9.3 running on Win2008 Std.
and the latest Spark clinet 2.7.0 Build 665 running in XP, 7, 8 & Windows 8.1
all our remote branches are connected to H.Q. using Site-to-Site VPN IPSec Tunnels
recently I have followed this document to setup SSO https://community.igniterealtime.org/docs/DOC-2706
SSO is working just fine in all workstations located in the Head Office
but have not been able to get it to work in the remote branches.
after week investigating this issue wireshark showing that our users in remote branches have problems to get kerberos tickets
Kerberos TGS-REQ sending message to the KDC server using udp protocol
the solution was is to force Kerberos to use TCP instead of UDP in kerberos configuration file krb5.ini
by adding this line udp_preference_limit = 1
for mor information http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
I hope that maybe this bost will help someone and save his time