SSO (Single Sign On) configuration changes since Spark 2.8.0

Version 5

    For those who are using SSO (Single Sign On) Spark 2.8.0 may require an update to keytab file, if you are using SRV records. You will need to add a SPN for that record and recreate the keytab file.

     

    Example: If your xmpp domain is igniterealtime.org; your SRV record might be xmpp.igniterealtime.org

     

    Review current SPN:

    setspn -L keytab (keytab is the keytab user account used)

    Output:

    Registered ServicePrincipalNames for CN=keytab,CN=Users,DC=domain,DC=local:   

    xmpp/igniterealtime.org   

    xmpp/igniterealtime.org@DOMAIN.LOCAL

     

    Add SRV records:

    setspn -A xmpp/xmpp.igniterealtime.org keytab

    setspn -A xmpp/xmpp.igniterealtime.org@DOMAIN.LOCAL keytab

     

    Review SPN again:

    setspn -L keytab

    Output:

    Registered ServicePrincipalNames for CN=keytab,CN=Users,DC=domain,DC=local:   

    xmpp/igniterealtime.org   

    xmpp/xmpp.igniterealtime.org  

    xmpp/xmpp.igniterealtime.org@DOMAIN.LOCAL   

    xmpp/igniterealtime.org@DOMAIN.LOCAL

     

    Review your gss.conf file within your ..\openfire\conf folder:

    Locate the principal and keytab filenames, e.g. principal="xmpp/igniterealtime.org", keytab="C:/openfire/resources/xmpp.keytab"

     

    Recreate your keytab using the principal and keytab filenames from above:

    ktpass -princ xmpp/igniterealtime.org@DOMAIN.LOCAL -mapuser keytab@domain.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

     

    Replace keytab in ..\openfire\resources\ with the new keytab file.

     

    Restart Openfire.

     

    Note: the new setting should be compatible with 2.7.x Spark versions.