Spark 2.6.3 SSO Openfire 3.9.3 Windows 8.1

I’ve spent months trying to get SSO to work in my environment. I have read every article from this website (and others) on how to accomplish this nearly impossible task and have never had any luck. We have a Windows 2008 r2 Active Directory network, Windows 8.1 clients running Spark 2.6.3, and Openfire 3.9.3 running on a Windows 2008 r2 server. Before typing this message, I started from scratch one more time following this guide…http://community.spiceworks.com/attachments/post/0016/2038/Openfire-Spark_on_Win dows_Server_2008_R2_with_SSO.pdf Once I select the SSO option to my Spark client prior to logging in, it sees my account…

2015-05-12_1512.png

When I hit the ‘Login’ button, it says, ‘Unable to connect using Single Sign-On. Please check your principal and server settings.’ The warn.log file located in C:\Users\userprofile\AppData\Roaming\Spark\logs gives me the following error:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

The Openfire server is running Java 8 update 40. The Windows 8.1 client running spark is running Java 8 update 40.

Any feedback or suggestions would be greatly appreciated.

Thanks,

Travis

I thought I’d give an update here. People who have had this problem in the past resolved it by disabling UAC. I want to add that disabling UAC did not help me. I also tried this on a Windows XP machine. I’m getting the following error on that PC:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

Anything after java 1.7_80 and above breaks sso. It seems the last version that will work with openfire and sso is 1.7_79.

Java 8 works fine with spark and clients, however if you are using DES encryption, then you’ll need to add “allow_weak_crypto=true” to your krb5.ini file on your client machines.

Thank you for the reply. I downgraded Java to jre-7u76 on both the Openfire server and the domain controller. I couldn’t find 77, 78, or 79 in Oracle’s archives. I also added the line ‘allow_weak_crypto=true’ to the [libdefaults] section of the krb5.ini file. I’m not longer getting the message stated in my original post. I’m now getting the following message:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

sorry, I wasn’t clear…the “allow_weak_crypto=true” is only needed for java 8 clients and when using DES.

It looks like you might have an issue with your keytab file, or with your SPN account.

you can also try updating the spark 2.7.0

also, you may want to take a look at this if your domain level is 2008r2 and you don’t want to use DES (which I recommend not using)

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2