Openfire Spark in Win 7 SSO works only when run as administrator

sergo · August 9, 2018, 2:53pm

Hi, there! I’m new in XMPP but thanks to your brilliant forum and finest advises have already rolled out in production a couple of openfire servers (linux vm-s) in different domains with 300+ spark clients (windows and linux vm and bare-metal)
S2S connection works fine, as well as SSO authorization on all linux hosts. But alas I can’t manage to run Spark with SSO neither on Win7 hosts nor on Win2012R2 terminal servers. Unfortunately I may not run spark with administrator privileges due to IT security policies, thus Windows users have to authorize themselves with username-password
I’ve read a lot of articles about the matter, for example:

How to: Install Spark XMPP client and deploy its settings (inc.SSO) with a group policy

And a lot more, from this forum. I’m a new user here so I can’t add a lot of links

I’ve created AllowTGTSessionKey registry key - without it spark had refused to start using sso even from administrator.
I’ve tried to put krb5.ini in C:\Windows\ - but I believe, there is no use in it, because host is in domain and spark starts using sso from administrator well enough.
I’ve made some changes in Group Policy: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Network security: Configure encryption types allowed for Kerberos - I’ve set different sane combinations of check-boxes
I’ve tried to replace native Spark’s JCE-files with downloaded JCE.

The only thing I haven’t tried yet is to set a CNAME for my Openfire servers - if there is a real practical use in alias except of usability?

I’m already run out of any ideas. Any help will be highly appreciated!!
Spark version is 2.8.3
spark_version

Openfire version is 4.2.3

Ricardo_Xerfan · September 10, 2018, 12:34pm

Hi!

I built this tutorial:

But it’s for FreeBSD. However i’m building a for Windows Server (i already did an ambiente. Working perfectly).

any questions, contact-me. Ricardo Xerfan.

sergo · September 11, 2018, 8:06am

Thank you, Ricardo!! Mention in your article about user membership in certain groups turns out to be crucial for me!

	NÃO ADICIONE OS SEGUINTES GRUPOS AS SEUS USUÁRIOS:

			Domain Admins
			Group Policy Creator Owners
			Schema Admins

	*** CASO ADICIONE ALGUM DESSES GRUPOS (QUALQUER UM, INDEPENDENTE SE FOR SOMENTE UM, DOIS OU TODOS ESTES) AO USUÁRIO OU GRUPO AO QUAL ELE PERTENÇA, VAI APRESENTAR ERRO NA HORA DE REALIZAR O SSO NO CLIENTE SPARK COM WINDOWS, POIS ELE NÃO VAI CONSEGUIR DETERMINAR O NOME DE USUÁRIO E O FQDN DO MESMO, APRESENTANDO POR CONSEQUÊNCIA A MENSAGEM (UNABLE TO DETERMINE).

That is really not so obvious. And I’ve realized, that I was implementing my tests on Windows terminal servers under my domain admin account. Though I haven’t returned for the issue for above a month or so, and servers has been rebooted in that time. Now, thanks to you, everything works fine!! I didn’t even have to configure anything - just logged in with my unprivileged account and SSO worked out!

Ricardo_Xerfan · September 11, 2018, 7:41pm

Happy to be able to help!!!