1 of 1 people found this helpful
I haven't tested sso with clustering. I'll try to set up a cluster after Christmas to test things out. In the mean time, i'd probably start by trying something like this.
use the xmpp domain as the service principal and a single keytab, and then just add the spn for each node to the single keytab.
so for example. if your xmpp domain is EXAMPLE.COM and you have your SRV records resolve to each node, node1.example.com node2.example.com than Id do the following:
setspn -S xmpp/example.com@DOMAIN.LOCAL keytab_user
setspn -S xmpp/example.com keytab_user
setspn -S xmpp/node1.example.com@DOMAIN.LOCAL keytab_user
setspn -S xmpp/node1.example.com keytab_user
setspn -S xmpp/node2.example.com@DOMAIN.LOCAL keytab_user
setspn -S xmpp/node2.example.com keytab_user
then recreate the keytab file with all the spns:
ktpass -princ xmpp/example.com@LOCAL.DOMAIN -mapuser firstname.lastname@example.org -crypto all -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab
then in the gss.conf file, I'd used the setting principal="xmpp/example.com"
after thinking about this...this might not work. I don't know when I'll be able to set up a cluster. I was hoping to this week, but it probably wont be for another 2.
Hi Speedy, didn't reply to this thread after testing this setup, but I managed to got it working. The caveat is there is not enough testing done and I am not sure on the "proper" way to setup either.
I am sharing my configuration, and please correct me if there are suppose to be improvements done.
I created two srv records for _xmpp-client that points to app1.test.com and app2.test.com. I followed the guide 28 Steps to Single Sign On for Openfire XMPP Server on Windows Server 2012 R2 with Spark with some minor alterations.
- Firstly, the setup to spn at ad.test.com was done using your recommendations. The keytab generated was copied to app1.test.com and app2.test.com Openfire resource folder and the gss.conf file was also updated using your recommendations.
- I configured the Openfire servers using the Hazelcast plugin installation guide at Hazelcast Clustering Plugin Readme. The Hazelcast config file looked like this: [ <join>
Also enabled clustering at both server.
- Started the Openfire setup using chat server at app1.test.com. The xmpp domain and fqdn were set using test.com instead of app1.test.com.
- Restarted both chat servers at app1.test.com and app2.test.com and waited for awhile before logging in. Apparently hazelcast plugin takes a long time to load and premature logins causes error at the user group screen. After the chat servers start, they pull the settings from the database at db.test.com
- I setup the registry settings and copied the krb5.ini to the chat client as usual and restarted to AD user. SSO login was to test.com instead of app1.test.com
These settings work but be aware of the caveats.
Again, feel free to improve on it or use this as a future guide. I hope this facilitates your testing as well.