Krerberos SSO broken in Spark 2.7.x

Hello, I have a problem with SSO since Spark 2.7.x prerelease (build 66x). Openfire server 3.9.1 3.9.2 works fine with Spark 2.6.3 and worked with 2.6.2 and 2.6.1.

But when I change client to Spark 2.7.0 or 2.7.1 on the same machine - couldn’t connect to Openfire server via SSO. Plain password login has no issues, only SSO. Account (kerberos realm) detection seems correct. I’ve tried cleaning settings (removing %APPDATA%\Spark), various SSO modes - krb5.ini, DNS and Manual specification, but no luck.

Because of that I’m delaying upgrade from Spark 2.6.x and Openfire 3.9.x to 2.7.x and 3.10.x respectively. Any suggestions?

sso is working fine for me with 2.7.1

What version of java are you using with Spark?

What spark error logs show?

Bundled java 1.7.0_80 with Spark 2.7.1

Client OS - Windows Server 2008 R2 with UAC turned off and allowtgtsessionkey turned on. Other SSO apps (Firefox, Spark 2.6.3) works fine.

Server OS - CentOS 5.11, Openfire 3.9.3 with Oracle Jre 1.7.0_55

Spark log seems to be empty. When I turn on debugger on start, debugger doesn’t show anything interesting besides feature negotiation.

try adding

allow_weak_crypto = true

to your workstation krb5.ini


Maybe it is some Java mismatch. I think 2.6.3 used 1.7.0_5x also.

Btw, Spark login with SSL was fixed in Openfire 3.10.2. So 2.6.3 should be able to login. Not sure about the SSO though. Also, there is an issue if you are using LDAPS. 3.10.2 with LDAPS (LDAP over SSL)