Krerberos SSO broken in Spark 2.7.x

Vytas_K · June 29, 2015, 11:12am

Hello, I have a problem with SSO since Spark 2.7.x prerelease (build 66x). Openfire server 3.9.1 3.9.2 works fine with Spark 2.6.3 and worked with 2.6.2 and 2.6.1.

But when I change client to Spark 2.7.0 or 2.7.1 on the same machine - couldn’t connect to Openfire server via SSO. Plain password login has no issues, only SSO. Account (kerberos realm) detection seems correct. I’ve tried cleaning settings (removing %APPDATA%\Spark), various SSO modes - krb5.ini, DNS and Manual specification, but no luck.

Because of that I’m delaying upgrade from Spark 2.6.x and Openfire 3.9.x to 2.7.x and 3.10.x respectively. Any suggestions?

speedy · June 29, 2015, 12:53pm

sso is working fine for me with 2.7.1

What version of java are you using with Spark?

What spark error logs show?

Vytas_K · June 29, 2015, 2:00pm

Bundled java 1.7.0_80 with Spark 2.7.1

Client OS - Windows Server 2008 R2 with UAC turned off and allowtgtsessionkey turned on. Other SSO apps (Firefox, Spark 2.6.3) works fine.

Server OS - CentOS 5.11, Openfire 3.9.3 with Oracle Jre 1.7.0_55

Spark log seems to be empty. When I turn on debugger on start, debugger doesn’t show anything interesting besides feature negotiation.

speedy · June 29, 2015, 2:35pm

try adding

allow_weak_crypto = true

to your workstation krb5.ini

l

wroot · June 29, 2015, 3:38pm

Maybe it is some Java mismatch. I think 2.6.3 used 1.7.0_5x also.

Btw, Spark login with SSL was fixed in Openfire 3.10.2. So 2.6.3 should be able to login. Not sure about the SSO though. Also, there is an issue if you are using LDAPS. 3.10.2 with LDAPS (LDAP over SSL)