powered by Jive Software

Using SSO for Child AD Domains Not Working

I am using OpenFire 3.6.4 with Spark 2.5.8 clients. I have a 2 domain Active Directory (2008) forest. Users in the first domain (domain.local) can log into Spark using SSO without any issues. However, users in the second domain (child.domain.local) can never log in using SSO. I believe kerberos is set up correctly on the AD side as well as I believe my keytab file is correct. However, I do not know how my gss.conf file should be configured when running for multiple realms as well as my krbf.ini file. Can anyone think of anything I need to do? Samples of gss.conf and krb5.ini that work for my parent domain users appear below:

gss.conf

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="DOMAIN.LOCAL"
principal="xmpp/im001.domain.local@DOMAIN.LOCAL"
isInitiator=false
debug=false;
};

krb5.ini

[libdefaults]
default_realm = DOMAIN.LOCAL

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]
DOMAIN.LOCAL= {
kdc = dc1.domain.local
kdc = dc2.domain.local

admin_server = dc1.domain.local

default_domain = domain.local
}

[domain_realms]
domain.local = DOMAIN.LOCAL
.domain.local = DOMAIN.LOCAL