powered by Jive Software

SSO reads username but doesn't work


I have a server running openfire. spark works fine. Now I am trying to deploy the spark software with Thinapp.

I have the client configured to do SSO. It reads the correct username. username@domain.local

However it only works when I disable SSO and enter a password.

the error I get is

Unable to connect using single sign on. Please check your principal and server settings.

what Am i doing wrong? I checked DNS under advanced settings in the SSO menu but this also doesn’t work


seting up sso is a bit more complicated than that! There are alot of post on it. Here is a document that I wrote up, but there are many more.


Hi speedy,

I followed your document thanks for that.

I followerd all steps but I havent got it working yet.

Couple of questions. How do I confugure the client?

SSO via DNS, KRB5.ini of specify below?

What should the content be of the krb5.ini file?

only this? :


allowtgtsessionkey reg-dword value 1

no…thats a registry edit. I’m surprised you didn’t get an error when you created or tested your keytab file if your krb5.ini wasnt set correctly.

your krb5.ini file should look something like this. (this is a basic example)

default_realm = INTRANET.COM

kdc = dc1.intranet.com
admin_server = dc1.intranet.com
default_domain = intranet.com

intranet.com = INTRANET.COM
.intranet.com = INTRANET.COM`

and your gss.conf file should look like this

com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required storeKey=**true** keyTab="C:/Program Files/Openfire/resources/xmpp.keytab" doNotPrompt=**true** useKeyTab=**true** realm="INTRANET.COM" principal="xmpp/servername.domain.com@INTRANET.COM" debug=**true**; };

Hi Speedy,

thanks! I had it going for about 5 minutes. then my account got locked.

It still reads my username correct but I receive “Unable to connect using single sign on. Please check your principal and server settings.”

Any directions to check what is going on? I tried to connect on IP and hostname both same effect.

I tried to test my keytab file again:

C:\Program Files (x86)\Openfire Chat Server\jre\bin>kinit -k -t jabber.k


Exception: krb_error 0 Cannot get kdc for realm DOMAIN.LOCAL No e

KrbException: Cannot get kdc for realm DOMAIN.LOCAL

at sun.security.krb5.KrbKdcReq.send(Unknown Source)

at sun.security.krb5.KrbKdcReq.send(Unknown Source)

at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown S

at sun.security.krb5.internal.tools.Kinit.(Unknown Source)

at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

this is my krb5.ini on sever and client

default_realm = DOMAINNAME.LOCAL
noaddresses = true

kdc = VMW2KS155.domainname.local
default_domain = domainname.local

this is my gss.conf:

com.sun.security.jgss.accept {




keyTab=“C:\Program Files (x86)\Openfire Chat Server\resources\jabber.keytab”







So the version of Java 1.6.0_26 has a bug that kills SSO authentication. Make sure you are not using that version.


I was running Linux, but upgrading to Java 1.7.0_147 fixed my install.

I have tried a java update. no effect.

just for the record:

xmpp/lab2.lab.local where lab2 is the openfire server right?

admin_server is my openfire server?

There is a PTR record in my DNS pointing to the openfire server.

please see attached. w2ks61 is my openfire server

my kdc is vmw2ks155

gss.conf.zip (379 Bytes)
jabber.keytab.zip (314 Bytes)
krb5.ini.zip (264 Bytes)
openfire.xml (3423 Bytes)