How to Setup  SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Version 8

    How to Setup Openfire SSO on Windows Server 2008r2/2012r2 with a Domain level  of 2008r2/2012r2

     

     

    1. Verified DNS - Must have PTR record for openfire server or SSO will not work.

     

    2. Create a user account that will be used for the keytab.  I used "keytab" in this example. Under account properties, check "This Account Supports Kerberos AES 128 bit encryption"

     

     

    3. On the domain controller set spn to username 'keytab' and other mappings.

    Note: The spn should match what you are using for xmpp.domain.  ie xmpp/xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local

    *case sensitive

    setspn -S xmpp/lab2.lab.local@LAB.LOCAL keytab

     

     

    4. Next use ktpass to set additional information and create keytab file

    Note: The -princ  should match what you are using for xmpp.domain. ie -princ xmpp/xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local

     

    *case sensitive

     

    ktpass -princ xmpp/lab2.lab.local@LAB.LOCAL -mapuser keytab@lab.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab (enter same password that you used when you created the keytab user account)

     

     

    5. On the server running openfire

    create krb5.ini and place c:\windows

    set the following key

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    allowtgtsessionkey reg-dword value 1

     

     

    6. Copy your keytab created in step 4 (xmpp.keytab) file to openfire/resources

     

     

    7. Copy/create your gss.conf file in openfire/conf

     

     

    8. Add the follwing to system properties in openfire

    sasl.gssapi.config  C:\Program Files (x86)\Openfire\conf\gss.conf

    sasl.gssapi.debug  false

    sasl.gssapi.useSubjectCredsOnly  false

    sasl.mechs  GSSAPI

    sasl.realm  LAB.LOCAL

     

     

     

    restart openfire service

     

     

     

     

    9.  Install spark on a workstation.

     

     

    On workstations make the following registry change

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    reg dword allowtgtsessionkey value 1

     

     

    10 copy krb5.ini in c:\windows

     

     

    11. Launch spark and test