How to Setup Openfire SSO on Windows Server 2008r2 with a Domain level of 2008r2
1. Verified DNS - Must have PTR record for openfire server or SSO will not work.
2. Create a user account that will be used for the keytab. I used "keytab" in this example. Under account properties, check "This Account Supports Kerberos AES 128 bit encryption"
3. On the domain controller set spn to username 'keytab' and other mappings
*case sensitive
setspn -A xmpp/lab2.lab.local@LAB.LOCAL keytab
4. Next use ktpass to set additional information and create keytab file
*case sensitive
ktpass -princ xmpp/lab2.lab.local@LAB.LOCAL -mapuser keytab@lab.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab (enter same password that you used when you created the keytab user account)
5. On the server running openfire
create krb5.ini and place c:\windows
set the following key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
allowtgtsessionkey reg-dword value 1
6. Copy your keytab created in step 4 (xmpp.keytab) file to openfire/resources
7. Copy/create your gss.conf file in openfire/conf
8. Add the follwing to system properties in openfire
sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf
sasl.gssapi.debug false
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm LAB.LOCAL
restart openfire service
9. Install spark on a workstation.
On workstations make the following registry change
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
reg dword allowtgtsessionkey value 1
10 copy krb5.ini in c:\windows
11. Launch spark and test