SSO (Single Sign On) configuration changes since Spark 2.8.0

Document created by wroot Champion on Aug 20, 2016Last modified by speedy on Feb 23, 2017
Version 6Show Document
  • View in full screen mode

For those who are using SSO (Single Sign On) Spark 2.8.0 may require an update to keytab file, if you are using SRV records. You will need to add a SPN for that record and recreate the keytab file.

 

Example: If your xmpp domain is igniterealtime.org; your SRV record might be xmpp.igniterealtime.org

 

Review current SPN:

setspn -L keytab (keytab is the keytab user account used)

Output:

Registered ServicePrincipalNames for CN=keytab,CN=Users,DC=domain,DC=local:  

xmpp/igniterealtime.org  

xmpp/igniterealtime.org@DOMAIN.LOCAL

 

Add SRV records:

setspn -S xmpp/xmpp.igniterealtime.org keytab

setspn -S xmpp/xmpp.igniterealtime.org@DOMAIN.LOCAL keytab

 

Review SPN again:

setspn -L keytab

Output:

Registered ServicePrincipalNames for CN=keytab,CN=Users,DC=domain,DC=local:  

xmpp/igniterealtime.org  

xmpp/xmpp.igniterealtime.org 

xmpp/xmpp.igniterealtime.org@DOMAIN.LOCAL  

xmpp/igniterealtime.org@DOMAIN.LOCAL

 

Review your gss.conf file within your ..\openfire\conf folder:

Locate the principal and keytab filenames, e.g. principal="xmpp/igniterealtime.org", keytab="C:/openfire/resources/xmpp.keytab"

 

Recreate your keytab using the principal and keytab filenames from above:

ktpass -princ xmpp/igniterealtime.org@DOMAIN.LOCAL -mapuser keytab@domain.local -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

 

Replace keytab in ..\openfire\resources\ with the new keytab file.

 

Restart Openfire.

 

Note: the new setting should be compatible with 2.7.x Spark versions.

Attachments

    Outcomes