How to Setup  SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Document created by speedy Champion on Apr 15, 2013Last modified by speedy Champion on Feb 23, 2017
Version 8Show Document
  • View in full screen mode

How to Setup Openfire SSO on Windows Server 2008r2/2012r2 with a Domain level  of 2008r2/2012r2

 

 

1. Verified DNS - Must have PTR record for openfire server or SSO will not work.

 

2. Create a user account that will be used for the keytab.  I used "keytab" in this example. Under account properties, check "This Account Supports Kerberos AES 128 bit encryption"

 

 

3. On the domain controller set spn to username 'keytab' and other mappings.

Note: The spn should match what you are using for xmpp.domain.  ie xmpp/xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local

*case sensitive

setspn -S xmpp/lab2.lab.local@LAB.LOCAL keytab

 

 

4. Next use ktpass to set additional information and create keytab file

Note: The -princ  should match what you are using for xmpp.domain. ie -princ xmpp/xmpp.domain. In this example, xmpp.domain is the fqdn of the server, lab2.lab.local

 

*case sensitive

 

ktpass -princ xmpp/lab2.lab.local@LAB.LOCAL -mapuser keytab@lab.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab (enter same password that you used when you created the keytab user account)

 

 

5. On the server running openfire

create krb5.ini and place c:\windows

set the following key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

allowtgtsessionkey reg-dword value 1

 

 

6. Copy your keytab created in step 4 (xmpp.keytab) file to openfire/resources

 

 

7. Copy/create your gss.conf file in openfire/conf

 

 

8. Add the follwing to system properties in openfire

sasl.gssapi.config  C:\Program Files (x86)\Openfire\conf\gss.conf

sasl.gssapi.debug  false

sasl.gssapi.useSubjectCredsOnly  false

sasl.mechs  GSSAPI

sasl.realm  LAB.LOCAL

 

 

 

restart openfire service

 

 

 

 

9.  Install spark on a workstation.

 

 

On workstations make the following registry change

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

reg dword allowtgtsessionkey value 1

 

 

10 copy krb5.ini in c:\windows

 

 

11. Launch spark and test

Attachments

Outcomes