SSO with two KDC's for redundancy in Windows 2008 SP2 (non-R2) Environment

I currently have SSO working in an Openfire v3.7.0 Windows Server 2008 SP2 (not R2) environment with Windows 7 SP1 x86 clients running 99% as regular users (not admins) and UAC turned on. I have SSO working with Spark 2.6.0 with both DNS and krb5.ini, however, I already have LDAP lookups redundant by pointing to both our DCs by pointing to ‘domainame.local’ for the ‘’ property, but I need to get SSO and kerberos working on both DCs as well for redundancy. I have followed all the usual documents and posts about SSO on here but I haven’t found much to do with getting two KDC’s working together for redundancy.

Here is my krb5.ini on the OpenFire server and workstations:


default_realm = DOMAINNAME.LOCAL

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5



    kdc = dc1.domainname.local

    kdc = dc2.domainname.local

    admin_server = dc1.domainname.local

    default_domain = domainname.local



domainname.local = DOMAINNAME.LOCAL

.domainname.local = DOMAINNAME.LOCAL

Fortunately I have a complete virtual test environment that is a copy of our production domain so I can test things thoroughly without breaking our current production environment that is running SSO on the single dc1 so far. I have run the following commands on dc2.domainname.local but when dc1 is not running I cannot log into Spark via SSO:

setspn -A xmpp/openfireserver.domainname.local@DOMAINNAME.LOCAL openfire.xmpp


ktpass -princ xmpp/openfireserver.domainname.local@DOMAINNAME.LOCAL -mapuser openfire.xmpp@domainname.local -pass * -ptype KRB5_NT_PRINCIPAL

I must be missing something beyond these two commands above but I cannot seem to figure it out despite reading as much as I can on the topic both here and through google searches.

If anyone can point me in the right direction or has any advice at all I would really appreciate it.