SSO: krb5kdc_err_s_principal_unknown

Hi All,

Anyone out there can give me some help on this?

When I try to use SSO with spark2.5.4 and openfire 3.3.2, I encounter some problems. The problem is. that when I use a network sniffer, I found the KDC reply the client (spark) with a krb5kdc_err_s_principal_unknown.

Here is the basic description of my settings. More details can be provided upon your request.

KDC/AD and openfire on the same server. The server name is zeus. I did setup the reverse lookup, so the IP address can be resolved to zeus with nslookup.

I’ve created an account with the ID xmpp-zeus and used ktpass to map it.

I’ve added a spn with setspn -A zeus. When I tried setspn -L zeus, I see xmpp/zeus.domain in the list. (actually, I don’t understand this step, because I was given this error, so I tried whatever possible.)

The openfire.xml and gss.conf, I followed the “Configure kerberos for openfire” article.

When I do a klist of Microsoft resource tools, I see krbtgt/zeus, ldapzeus, host/zeus, but I don’t see xmpp/zeus, I don’t know whether this indicates that there’s a problem?

I presume that the encryption type things are not related to my problem (not yet). am I right.

There is another thing very strange is that for a while, I managed to get through this, but later this problem appears again next day.

I did the allowtgtsessionkey too. ( I presumed it should be configured on the openfire machine, right?) For the xmpp.fqdn, I don’t know how to change it, I login to the admin console, change the server setting properties. So in the xml packets, I did saw the from=“zeus.domain”.

Anything I missed out? Any help would be highly appreciated. Thanks.

By the way, I did a kinit on the client machine and successfully login with the client account.

I am new to kerberos and sso, so pardon my ignorance if i did anything stupid.

a bit more information:

during the ktpass step

ktpass -princ xmpp/zeus.domain@REALM -mapuser xmpp-zeus@domain …

notice that on windows 2003, I can’t execute the command if the map user is xmpp-zeus.domain, so I changed to @, I presume this is correct because I can see in the AD user information that the mapping is correct.

My domain name contains “-” character, I once came across a post somewhere saying that this may cause problem. Can anyone confirm?

In the gss.conf file, the path to the jabber.keytab, I used double back slash because I found that single slash will cause problem. (I mentioned in the first post that I once got over the krb5kdc_err_s_principal_unknown problem, this is done during that time).

that’s all i can think of now.