How to Setup Openfire SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2
1. Verified DNS - Must have PTR record for openfire server or SSO will not work.
2. Create a user account that will be used for the keytab. I used "keytab" in this example. Under account properties, check "This Account Supports Kerberos AES 128 bit encryption"
3. On the domain controller set spn to username 'keytab' and other mappings. Note: The spn should match what you are using for xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local
*case sensitive
setspn -A xmpp/lab2.lab.local@LAB.LOCAL keytab
4. Next use ktpass to set additional information and create keytab file
*case sensitive
ktpass -princ xmpp/lab2.lab.local@LAB.LOCAL -mapuser keytab@lab.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab (enter same password that you used when you created the keytab user account)
5. On the server running openfire
create krb5.ini and place c:\windows
set the following key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
allowtgtsessionkey reg-dword value 1
6. Copy your keytab created in step 4 (xmpp.keytab) file to openfire/resources
7. Copy/create your gss.conf file in openfire/conf
8. Add the follwing to system properties in openfire
sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf
sasl.gssapi.debug false
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm LAB.LOCAL
restart openfire service
9. Install spark on a workstation.
On workstations make the following registry change
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
reg dword allowtgtsessionkey value 1
10 copy krb5.ini in c:\windows
11. Launch spark and test