I’ve spent months trying to get SSO to work in my environment. I have read every article from this website (and others) on how to accomplish this nearly impossible task and have never had any luck. We have a Windows 2008 r2 Active Directory network, Windows 8.1 clients running Spark 2.6.3, and Openfire 3.9.3 running on a Windows 2008 r2 server. Before typing this message, I started from scratch one more time following this guide…http://community.spiceworks.com/attachments/post/0016/2038/Openfire-Spark_on_Win dows_Server_2008_R2_with_SSO.pdf Once I select the SSO option to my Spark client prior to logging in, it sees my account…
When I hit the ‘Login’ button, it says, ‘Unable to connect using Single Sign-On. Please check your principal and server settings.’ The warn.log file located in C:\Users\userprofile\AppData\Roaming\Spark\logs gives me the following error:
SASL authentication failed:
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
The Openfire server is running Java 8 update 40. The Windows 8.1 client running spark is running Java 8 update 40.
Any feedback or suggestions would be greatly appreciated.
I thought I’d give an update here. People who have had this problem in the past resolved it by disabling UAC. I want to add that disabling UAC did not help me. I also tried this on a Windows XP machine. I’m getting the following error on that PC:
SASL authentication failed:
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]
Anything after java 1.7_80 and above breaks sso. It seems the last version that will work with openfire and sso is 1.7_79.
Java 8 works fine with spark and clients, however if you are using DES encryption, then you’ll need to add “allow_weak_crypto=true” to your krb5.ini file on your client machines.
Thank you for the reply. I downgraded Java to jre-7u76 on both the Openfire server and the domain controller. I couldn’t find 77, 78, or 79 in Oracle’s archives. I also added the line ‘allow_weak_crypto=true’ to the [libdefaults] section of the krb5.ini file. I’m not longer getting the message stated in my original post. I’m now getting the following message:
SASL authentication failed:
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]