I am using OpenFire 3.6.4 with Spark 2.5.8 clients.  I have a 2 domain Active Directory (2008) forest.  Users in the first domain (domain.local) can log into Spark using SSO without any issues.  However, users in the second domain (child.domain.local) can never log in using SSO.  I believe kerberos is set up correctly on the AD side as well as I believe my keytab file is correct.  However, I do not know how my gss.conf file should be configured when running for multiple realms as well as my krbf.ini file.  Can anyone think of anything I need to do?  Samples of gss.conf and krb5.ini that work for my parent domain users appear below:

gss.conf

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="DOMAIN.LOCAL"
    principal="xmpp/im001.domain.local@DOMAIN.LOCAL"
    isInitiator=false
    debug=false;
};

krb5.ini

[libdefaults]
    default_realm = DOMAIN.LOCAL

    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]
    DOMAIN.LOCAL= {
        kdc = dc1.domain.local
        kdc = dc2.domain.local

        admin_server = dc1.domain.local

        default_domain = domain.local
    }

[domain_realms]
    domain.local = DOMAIN.LOCAL
    .domain.local = DOMAIN.LOCAL