speaking of, when I was troubleshooting my problem with one client the other day, I was messing around with DES again.
For my xmpp-openfire user, under the Account tab > Account options: If I check "Use Kerberos DES encryption for this account", sso will NOT work. It killed sso for everybody. The settings that work for me are:
Use Kerberos DES encryption types for this account: UNchecked
This account supports Kerberos AES 128bit encryption: UNchecked
This account supports Kerberos AES 256bit encryption: UNchecked
Do not require Kerberos preauthentication: checked
and it is only a member of the Domain Users group, nothing else