Openfire Spark SSO OK - but only Administrator

Hello - I have installed Openfire 4.2.1 on Debian 9. Its connected with my Active Directory on Windows Server 2012. The krb5.ini and the Registry Change AllowTGTSessionKey = 1 will be distributed by GPO.

My Client is Spak 2.8.3.

I can do login by SSO if I´m Administrator
If a normal user starts his Spark, its don´t get´s his user name.
The german error is: Spark kann den Klienten für Single Sign-On nicht finden.
It means “spark can not find the client for sign-on”

Does anybody have an idea what to do ?

Greetings from Berlin
Jens

Is this on Windows 10 (what version exactly?)? I think @speedy had similar problem in the past or it was discussed in the forums. Maybe he will have some ideas when he comes back from vacation.

no idea on this one. usually this is an issue for an elevated account, and not so much for a standard user! Could still be UAC… or a Windows 10 related issue.
If you are running windows 10, than you might be hitting the bug/feature that it fails to renew the ticket after unlocking the workstation

Hello - thanks for your messages…

My windows 10 is the actual 1709. If a normal user starts Spark with “run as Administrator” and I get access to session key. The user is no member of local Administrator (other seems to have this problem)

The UAC itself is disabled… but seems still deny access to session key

Greetings from Berlin
Jens

Windows 10 doesn’t fully disable UAC. You can mark the application always run as administrator…you may also look at using the MS Application Compatibility Toolkit. Another option may be to disable Credential Guard (windows 10 feature), although this might open up some security issues.

we probably need to start looking at moving to sspi for spark/windows for sso instead of the gssapi. looks like waffle https://github.com/Waffle/waffle might be a possible solution. this is also a nice add “Unlike many other implementations Waffle on Windows does not require any server-side Kerberos keytab setup” for a 100% windows environment, this should help make SSO super easy! :slight_smile:

Thanks… to mark the application always run as administrator is a good way… (but some users get a security warning)

To start Spark in Task-Planer should be a second way…

Is there a way to disable UAC for a special file via GPO ?

Greetings from Berlin
Jens

using the ms application compatibility toolkit, I think you can create a file that will tell windows to trust the applicaiton. then you have to install that file to each computer, which you can script and deploy via gpo. not the cleanest solution, but that might work.

also, as an fyi, I went ahead and created the following if your interested in tracking it. no promises it will ever get implemented though. https://issues.igniterealtime.org/browse/SPARK-2042

1 Like