Test Document

Here is my SSO method:
Bind server to AD with desired name to get a FQDN you can use (alias won’t work)
Install Openfire (do not configure yet)
Create 2 AD domain admin users: 1 to tie the keytab to and one to be the LDAP bind
Configure server now for AD LDAP
Use the LDAP bind user in the LDAP settings
AdminDN can be LDAPbindusername@domain.com
Do not start server yet
Generate the keytab on domain controller openfire will look at:
C:>ktpass /princ xmpp/fqdn.of.chat.server@YOUR.DOMAIN.COM /mapuser xmpp-user@your.domain.com /pass * /out jabber.keytab
Copy keytab to c:\Program Files\Openfire\resources
Create gss.conf and copy to openfire server at c:\program files\openfire\conf:
com.sun.security.jgss.accept {
keyTab="C:/Program Files/Openfire/resources/jabber.keytab"
Create krb5.ini and copy to root of windows directory of every machine:
default_realm = YOUR.DOMAIN.COM
noaddresses = true
kdc = fqdn.of.domain.controller
default_domain = your.domain.com
Add the following to your openfire.xml:
After :

<!-- Include a comma-separated list of the authentication mechanisms
to advertise support for to clients. Make sure GSSAPI is listed,
and best if it’s listed first. The order of mechanisms is important;
clients should try to use the first mechanism they support
(although not all will). Some clients will try to use the most
secure first.

    You can add other mechanisms in order to support non-GSSAPI clients,
    or clients who cannot authenticate to the realm (like Windows 9X,
    off-site, and so on). Keep in mind that by allowing other mechanisms
    you are compromising the security of your realm. Be sure to talk
    to the Security Officer/Directory/Manager/Administrator about any
    policies your organization might have before enabling less secure
    mechanisms. By removing PLAIN and ANONYMOUS from the list, you will
    also disable non-SASL authentications.

    Keep in mind that a mechanism listed here might not actually be
    advertised, such as when the authProvider can't support the mechanism.
    PLAIN and ANONYMOUS mechanisms also enable non-SASL authentication
    (the old style XMPP auth), so removing them from this list will
    disallow non-SASL authentication. --> 
<mechs>GSSAPI </mechs> 
<!-- Specify the realm you used when you created the service principal
    and keytab.--> 
<!-- Mechanism-specific configuration here --> 
  <!-- Use true to turn on debugging information. This adds a lot
        of noise to your log files, but it can help you spot problems
        sooner in the initial setup. --> 
  <!-- Specify the location of the GSSAPI configuration file you edited. --> 
  <config>C:\Program Files\Openfire\conf\gss.conf</config> 
  <!-- Sets the system property with the same name. You'll probably want
        "false" here (the default). For more details, see
        [http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html] --> 

Within add:

org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider

Add this to all XP SP2 machines registry:
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Start the Openfire server
Try to connect via SSO