powered by Jive Software

SSO (Single Sign On) configuration changes since Spark 2.8.0

For those who are using SSO (Single Sign On) Spark 2.8.0 may require an update to keytab file, if you are using SRV records. You will need to add a SPN for that record and recreate the keytab file.

Example: If your xmpp domain is igniterealtime.org; your SRV record might be xmpp.igniterealtime.org

Review current SPN:

setspn -L keytab (keytab is the keytab user account used)

Output:

Registered ServicePrincipalNames for CN=keytab,CN=Users,DC=domain,DC=local:

xmpp/igniterealtime.org

xmpp/igniterealtime.org@DOMAIN.LOCAL

Add SRV records:

setspn -S xmpp/xmpp.igniterealtime.org keytab

setspn -S xmpp/xmpp.igniterealtime.org@DOMAIN.LOCAL keytab

Review SPN again:

setspn -L keytab

Output:

Registered ServicePrincipalNames for CN=keytab,CN=Users,DC=domain,DC=local:

xmpp/igniterealtime.org

xmpp/xmpp.igniterealtime.org

xmpp/xmpp.igniterealtime.org@DOMAIN.LOCAL

xmpp/igniterealtime.org@DOMAIN.LOCAL

Review your gss.conf file within your …\openfire\conf folder:

Locate the principal and keytab filenames, e.g. principal=“xmpp/igniterealtime.org”, keytab=“C:/openfire/resources/xmpp.keytab”

Recreate your keytab using the principal and keytab filenames from above:

ktpass -princ xmpp/igniterealtime.org@DOMAIN.LOCAL -mapuser keytab@domain.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

Replace keytab in …\openfire\resources\ with the new keytab file.

Restart Openfire.

****Note: the new setting should be compatible with 2.7.x Spark versions.