SSO with Openfire 4.0.2 on ubuntu 14.04 and AD 2008R2

Hi to all.

I followed some guide on this forum, but i can't get SSO working with the following configuration:

* Openfire 4.0.2 on ubuntu 14.04 with JDK 1.8.0_77

* Active Directory on a Win2008R2 server with 2008 compatibility

* Miranda Client on a Win10 64bit

I started with this

Openfire: Enable Single Sign On (SSO) on Linux - Spiceworks

and readed on and on througout this forum.

Those are my configuration files:

# cat /etc/krb5.conf

[libdefaults]       default_realm = TSDN.AD       dsn_lookup_realm = true       dns_lookup_kdc = true       rdns = false 

[logging]        default = FILE:/var/log/krb5libs.log        kdc = FILE:/var/log/krb5kdc.log        admin_server = FILE:/var/log/kadmind.log 

[appdefaults]        pam = {    debug = true    ticket_lifetime = 36000    renew_lifetime = 36000    forwardable = true    krb4_convert = false    validate = true
}

# cat /etc/samba/smb.conf

[global]
workgroup = TSDN
security = ads
realm = TSDN.AD
kerberos method = secrets and keytab
password server = win2k8.tsdn.ad

# cat /etc/openfire/gss.conf

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/etc/openfire/krb5.xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="TSDN.AD"
principal="xmpp/vm-gestsdn.tsdn.ad@TSDN.AD"
debug=true
isInitiator=false;
};

Content of /etc/openfire/krb5.xmpp.keytab

ktutil:  rkt /etc/openfire/krb5.xmpp.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------   1    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD   2    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD   3    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD   4    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD   5    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD

On Active Directory Server :

C:\>setspn -l tsdnservices
Registered ServicePrincipalNames for CN=TSDN Services,CN=Users,DC=tsdn,DC=ad:       xmpp/vm-gestsdn.tsdn.ad

If i try to login with username and password from a linux desktop (using pidgin) there's no problem.

Then i try with Miranda, the client I use in my office, on a Win10 machine.

If I try to connect with username and password, no problem.
Then I configured it with :

Use Domain Login: checked
Domain / Server: vm-gestsdn.tsdn.ad

And it doesn't work.

I can see in XML Console that miranda try GSSAPI auth:

<auth mechanism="GSSAPI">SOME VERY LONG STRING</auth>

but the server respond with a <not-authorized />

This is the log on the server:

2016.04.14 17:15:46 INFO  [socket_c2s-thread-2]: org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

Where i have to break my head to try to solve this problem?

I think it's Kerberos that doesn't work, but how can i proceed?

Thanks a lot to everyone!

Updated style and syntax highlight