I currently have SSO working in an Openfire v3.7.0 Windows Server 2008 SP2 (not R2) environment with Windows 7 SP1 x86 clients running 99% as regular users (not admins) and UAC turned on. I have SSO working with Spark 2.6.0 with both DNS and krb5.ini, however, I already have LDAP lookups redundant by pointing to both our DCs by pointing to ‘domainame.local’ for the ‘ldap.host’ property, but I need to get SSO and kerberos working on both DCs as well for redundancy. I have followed all the usual documents and posts about SSO on here but I haven’t found much to do with getting two KDC’s working together for redundancy.
Here is my krb5.ini on the OpenFire server and workstations:
[libdefaults]
default_realm = DOMAINNAME.LOCAL
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
DOMAINNAME.LOCAL = {
kdc = dc1.domainname.local
kdc = dc2.domainname.local
admin_server = dc1.domainname.local
default_domain = domainname.local
}
[domain_realms]
domainname.local = DOMAINNAME.LOCAL
.domainname.local = DOMAINNAME.LOCAL
Fortunately I have a complete virtual test environment that is a copy of our production domain so I can test things thoroughly without breaking our current production environment that is running SSO on the single dc1 so far. I have run the following commands on dc2.domainname.local but when dc1 is not running I cannot log into Spark via SSO:
setspn -A xmpp/openfireserver.domainname.local@DOMAINNAME.LOCAL openfire.xmpp
…and…
ktpass -princ xmpp/openfireserver.domainname.local@DOMAINNAME.LOCAL -mapuser openfire.xmpp@domainname.local -pass * -ptype KRB5_NT_PRINCIPAL
I must be missing something beyond these two commands above but I cannot seem to figure it out despite reading as much as I can on the topic both here and through google searches.
If anyone can point me in the right direction or has any advice at all I would really appreciate it.