powered by Jive Software

Revisiting SSO on Windows

First of all, let me say how wonderful it is to see active development on Spark again. It’s a wonderful thing.

Before I go further, let me put on my flame proof suit…

Now that there seems to be some active development happening on Spark, I wanted to ask if its possible to look into the situation with SSO on Windows. As we all know it works, as long as you run it as an administrator. However in my organization (and I would hope in all others), everyone runs as standard users and we don’t allow them to elevate. In the past I used an ugly hack workaround of creating a scheduled task to run Spark with the “run with highest privileges” enabled which worked, most of the time (sometimes Spark would not launch for reasons unknown).

I notice in JDK-6722928 (https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-6722928) that Java now includes a native GSS-API library on Windows. That being the case, shouldn’t all the workarounds and hacks to get this to work on Windows now be unnecessary? I did install the latest Java 14, which should have the native GSS-API library but I still have the same SSO problems. Unfortunately I am not a Java programmer so I have no idea how SSO is currently implemented within Spark, where to look, or what to do if I did, but perhaps somebody else can speak to this?

Thanks for reading.

To be fair, it is still not in a very active development. One of the Openfire devs spend some of his weekends and work time on Spark to iron out a few blocking bugs that prevented new release. But we probably won’t get to much involvement, especially for complex issues.

Personally i haven’t used SSO, but i know that @speedy did, so maybe he can comment on the Run as admin part. I think i heard that this is required, but i’m not sure if it is and why. Spark currently is supporting Java 8 and there are some issues when running it with newer Java. At some point we would want to move on to new Java, get rid of Java 8 and even stop bundling Java in the installer. But this probably requires some expertize again.

Btw, you said you ran it with Java 14, but if you installed version with JRE included, then Spark will still use its internal Java 8 instead of a system one. You can try renaming C:\Program files (x86)\Spark\jre folder to say _jre and run Spark. With Java 11 it shows an error to me on Windows. Although it runs with OpenJDK 11 on Linux.

I have checked that bug ticket and it says that it is not resolved in Java 11. Which is problematic. Java 14 is not a Long Term Support version (11 is). And i think we should support only LTS versions, as they will get updates longer and there will be less API changes.

My understanding of the issue is that Java did not have have a native GSSAPI library on Windows, and the hack was a registry entry that allowed it to get a kerberos ticket from LSA. Starting with Vista I believe Microsoft put the can on that so that only a privileged process could do it, hence why it works when you “run as admin” but not anyone else.

I installed the version without the JRE included and I downloaded OpenJDK 14 JRE 32bit and installed it. Spark seems to work perfectly fine for me, except for the SSO problem.

I don’t disagree that Spark should only officially support LTS versions only. I guess my point is that since there is some movement on this project for the first time in years, maybe somebody feeling up to a challenge could look at the SSO portion now that there is officially a GSS-API native Windows library (which is a recent development) that will presumably still be there in the next LTS release, which would hopefully enable Spark to be more enterprise-friendly and thus reach wider use.

I thought that 14 might be LTS, but on Wikipedia it says that only 17 will be. Oracle is crazy… https://en.wikipedia.org/wiki/Java_version_history
I have tried AdoptOpenJDK 14 and it runs on Windows 10, but i can see some plugins missing, so there must be some adjustment of code.

I don’t know if anyone will take such task. Guus, who did last patches is Linux guy and is not that familiar with Windows side.

Btw, i found this ticket where Speedy suggest using SSPI instead. https://issues.igniterealtime.org/browse/SPARK-2042