Spark SSO "Not Authorized" Error

I have scoured the internet and have read almost every post about getting spark’s SSO feature to work and I must be close but I am not quite there. I am at the point where LDAP on the openfire server is working 100%, I can login with my windows user account credentials without SSO just fine. When I run spark as administrator, and only when I run it as administrator spark actually says it will attempt to connect using my windows credentials with SSO rather than “Spark is unable to find the principal to use for Single Sign-On. This will prevent SSO from working.” It seems that openfire is configured to use GSSAPI just fine as when I run spark as admin and try to connect I get an error after my client tries to send some sort of long key for GSSAPI. Here is what is in my smack debug window for Raw Sent Packets:

<stream:stream to=“myOpenfireServer” xmlns=“jabber:client” xmlns:stream=“” version=“1.0”>

YIIE4AYJKoZIhvcSAQICAQBuggTPMIIEy6ADAg EFoQMCAQ6iBwMFAAAAAACjggP0YYID8DCCA+ygAwIBBaEOGwxCQVlORVQuTE9DQUyiKjAooAMCAQChIT AfGwR4bXBwGxdiYXlzaG9yZTA5LmJheW5ldC5sb2NhbKOCA6cwggOjoAMCARehAwIBBKKCA5UEggORUs +XvYAmzk+3BFKz/ftBRjuvk0m/PFSM/YN8VxObyCkj+7jRyZlJgOQaDduA1qvSwrZSJmb89ASrrbsh8W qintO2syFAOHPvWXUgleYFdYaWVNgC5JD9AJIzkb9X+NFP0JUZtcDNwF2fJK1StwdWES5wbwDTy9aB+U wtKiZkWbjPuiD4ylLMZaF+ng8vzMPTADvl/LjEiv/zkX5bW6pwXc6fuBdvQmEulIOl1JgLeJk/gxL/RZ /Su9L6NMSypE+EvVXnaxWovFWwK8dyEfioeR0FM4uGEwEeCjz02Ix+/zgbww35tOgPaztsV2WfDC/fZo jTb3VTYibcFa8wMzHAR+04gPnyVworLaXHJTx2VulYcez4JDMmUKkJNh4sfUMXtaOVpGbdeQyH2USChc ma+yKEPk1DWAyyZKeiEixenbfv7TkuUhwX63RSdfEBVc6l/0+zmOAvnaVXmOsYEjcjtF6rXdARgJ1T5n qbbZkaI2VT7u91i1rZf8xQ38sYudc6j/XKUan0yqLnmN79jHUJfRR6X3I9H8ERkWUPR37tCkVrNumyKI 4i5jekfBrbZv+ZMMhF/54DOB4nxY++XBSyE5JaFwZz0xAV/RX6evUZZRN915+oxnqU1TmSBOLHKpk/ru pZ0bpcQ8Y1rT935MOOMtyUlGMQDd0wh31LWykUDnIFrAwdJB/74TMFqfNhAg8bGMoeWdt+/AhNCDzyy5 ZRA814P6Q7fzhh9FTNSj7AfHZ7H+qawtQzBUhwSnMcd4yiNI+RawCgOUdX5+MafSulcckJEyHj8WtlWM fix6GidbAQu7BsSL23HyKhqHkeex1FcPbLZMAhgZvNPZ5jruHBXYkNityXnD9ZYNKzd27TcgEhbeTQiZ 6LsAE3q3igzaVXtk638As1e6omSb1otCSGU+hKy01BCfbeoag/pIM4ZyGERmWBVkwo2j7Ju7tA1QwBYG W9kFMBtG8u3sFqSXPfZLOWIeJRO4HFE6EgwDR6rrXU1HlK4GDI207mkByQoaqL4MFDDgpgmt/B4B4yeA BACbncY78e7tO9hs2QbXygXJiXwxwy9/CNJz0n6QNLmVmH2sy562itHzg0EymW/XaL1iAaurEX8aEjiV v9Gi/vLiKFY7PmlpNkAlJGI6yCzmXgZP++pd7p9g5DBFyXH9Br6BmJ9XtintAF+dsclxytdfOimzN77S zPqpoIGmhU7JRcm6SBvTCBuqADAgEXooGyBIGvlBT30U46rZcQwPW6jMM6N27R7JC/bDlbQFr3qe9vN9 rittWa8bDOjS91w47jcYs2sl2HAb29YNY5edgUEgj68I4avOwZQhLSGYwIl8Prk8L7/IkzvQja2Me3DZ ykL4DbHhPSA8dg+OViw2H3vUb+dXCSHkMj3zFhGXD6PnwcYRuGFuPQ4PghMj8S1Jfn9uD2bPp+EIU0Ct egEBhZEzsd5f4QbI+fawuhD9oCVu3fAg==

However I get this back after a failed connection attempt:

<?xml version='1.0' encoding='UTF-8'?>

stream:featuresGSSAPI</mechani sms>zlib</stream:features>

So apparently I am “not authorized”, not sure why this would be. It may also be worth pointing out that I am trying to log on with an account that is an admin on the server. In the openfire logs I get this error in Info: - User Login Failed. Failure to initialize security context

I’m not sure if anything else in the logs is relevant as nothing mentions anything of any errors or login failures. For reference I have provided the layout of what my krb5 file looks like:


default_realm = REALM.COM

dns_lookup_kdc = true

dns_lookup_realm = true



kdc = “fqdn of machine that openfire is being run on”

default_domain =



.domain = REALM.COM

Obviously, this is located in C:\Windows and I have made the changes to the registry on both the client machine and server. Please let me know if I was unclear about anything above, I will do my best to get you the information you require to help me in debugging this. Thanks in advance.

this is prob an issue with your keytab file. A few quick questions. what version of java are you using on both the client and openfire? and what is your domain level?

You may also find this helpful.

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

I am running Version 8 update 60 on both client and openfire server machines (both 32-bit). The server is running on windows server 2008 r2 but the domain level is 2003. Also, is there any way to test the keytab file after creation to ensure it worked?

which guide did you use for creating your key tab. if you are yous DES encryption type, this could be your problem, as java 8 disables the use of this by default. you can enable it by adding allow_weak_crypto=true to your krb5.ini file to allow DES

I have read mostly every guide I could find on here, the main one was:

But I also read yours as well as a few others. The current keytab file was created using the methods outlined in that link above, specifically with java. I am not using DES encryption but I did try and add allow_weak_crypto=true to both my client and openfire krb5 files to see if that works and it, unfortunately did not.

try downgrading java that openfire uses to 17u79 or lower. There was another issue with sso and java 8, but im unsure if the fix made it into the latest version.

SSO Breaks with Java 7u80 and Above

Just replaced java with version 7 update 79 and restarted the server, is there any other configuration I would have to do to accommodate the different version of java? If not I am still not having any luck with sso, same errors in smack debug window.

verifiy your krb5.ini file as being correct

kdc = “fqdn of machine that openfire is being run on”

default_domain =

your kdc should your your domain controller

the kdc is indeed the fqdn of my domain controller, sorry for the poor wording. Also something I want to point out is that I misspelled domain in my krb file when I posted this topic, that has since been fixed.

the next thing to do is to make sure you have your reverse dns (PTR) record setup correctly. An easy way to test this is to disable the reverse dns check by kerberos by adding

rdns = false

to the krb5.ini file

This should be added to libdefaults on both client and openfire krbb5? Everything is looking the same in the logs after I made this change. There is a chance my PTR record is not setup properly, I am working on this with a team and was not the one to do the ptr record.

yes…under libdefaults

If I remember correctly, it just as to be added on the client, but shouldn’t hurt if you add it to both client and server.

If that doesn’t work, then my next set would be to recreate your keytab file. If that fails, then I would delete the spn account used, and start from scratch. Try using the document I referenced. I’ve been able to get sso to working almost everytime I’ve implemented it. If you’re still having problems, send me a private message and I’ll see if I can’t help you figure it out.

Ive been having the same issues you reported in this post. Where you able to get the SSO working and did you find the solution to your issue?

The update would be much appreciated. I’m having an extremely difficult time setting up the SSO. I have followed the same pdf that you used for a “step by step”.

Thank you


that PDF is outdated, and DES should not be used, as its considered a weak cipher. RC4 will prob be depreciated soon, but is required if still have windows 2003/XP. If you made the GPO changes referenced in the PDF, you may want to revert that to disable DES.

The author the PDF you referenced has created another great document. You could give that one a go.

28 Steps to Single Sign On for Openfire XMPP Server on Windows Server 2012 R2 with Spark

Here is a document I put together that you might find helpful as well. Its very similar to the above, with a few small differences. mainly keytab creation and cipher support. How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Unfortunately Michael, no I have not gotten SSO to work under any circumstances. At this point we may just deploy without it because we have spent a bit more time getting sso to work that we would have liked. I may give this pdf a read and try once more as I see it was posted just 2 days ago and most other methods I have tried are years old.