SSO for user's first Spark login is submitting last successful SSO username

What’s happening is I’ll log into my test Windows Server 2008 Terminal Server using my profile, called user1, and SSO works like a champ. I then login to a second session on the same terminal server, with user2. SSO attempts to log user2 in, but fails, advising me to check principal and server settings, blah blah. I click ok, and in the username field, user1 is listed, while the account name is *user2. *If I modify the username and log in once manually, I get in. Each subsequent SSO login for *user2 *after that initial successful manual login works beautifully. Why is it populating the username field with the previous user’s username?

One thing to note: We’re running in Server 2008 Native Mode for AD, with roaming profiles. Plus, the user profile hierarchy has changed since Server 2003. My GPO for copying a predefined spark.properties is placing the Spark\spark.properties folder and file in C:\Users*user2, *rather than *C:\Documents and Settings\user1\Spark\spark.properties. *Perhaps I’m placing the spark.properties in the wrong location? Thanks in advance for any help you guys can muster.

When you make a change in Spark preferences that affects spark.properties, at least in my roaming profile environment, it creates the Spark folder inside of c:\Users*username* and places the spark.properties inside of the new Spark folder. Is there a better location than that if you’re using roaming profiles?

are you certain that SSO is being used at all? It sounds more like its just saving the username and password. SSO should not even need your username (its in the credential cache)

Here’s my Raw Received from Smack Debug, using my Windows domain account, which did log into Spark without any intervention.

stream:featuresGSSAPIPLAINzlib</stream:features>

=

YDMGCSqGSIb3EgECAgIBAAD/////j/MUjv4iyM 7q72KdhBZgzz3O1rPW3XAMAQEAAAQEBAQ=

neilj@communications1.pabbs.local /spark

<compressed xmlns='http://jabber.org/protocol/compress’/>

Thanks for looking at this with me.

Sorry, my Raw Sent would probably be better proof that the client’s at least attempting SSO. Here’s the pertinent Raw Sent data, prior to the iq roster chatter.

<stream:stream to=“communications1” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“communications1.pabbs.local” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

YIIGIQYJKoZIhvcSAQICAQBuggYQMIIGDKADAg EFoQMCAQ6iBwMFAAAAAACjggU8YYIFODCCBTSgAwIBBaENGwtQQUJCUy5MT0NBTKIuMCygAwIBAKElMC MbBHhtcHAbG2NvbW11bmljYXRpb25zMS5wYWJicy5sb2NhbKOCBOwwggTooAMCARehAwIBEKKCBNoEgg TW33nsSJJ+vDr9GYq/FMBwk8KYoxG4COGQegQ4gvNQWNHN2H7+fjfUlMbzZBkMN7pNUpfjRgAdYHGuxY X1bDHdgGLvRkknuvWySJw4q90vl8qFMfg5LsbiFJiJYN3CvadySasJ4xM5mfixtqmFPS1oYP8orNKnFF mdZs/A+DjGlm6ruCaYlloadtUYoG8wQEo10fm7cCGxORsms0KOMAeDX6qq3+kr51AuLyU9XSm0vS6ZoL xWQGZv3dnxHhDj+HxayhMCHHitLe8W7rtpk/w36eHHaliqYPSa5V9PYdRljHxSsJiplIIoBW7EmtKaER zcG5+jmcHXEpRFMc6/qvYbNawqESabJvLz6ZWK8iDIaFVJEkjQDUwUJIRm7aRP3FXPlczxeMrDJjJ9qV /ghsVUcIKzTklvqq8BrS4Z7sx8dgF2KxyuHAlKqxJ/7La9LenNbaN5mqrKSO7FgUd4ejOFxRnxy616/S umLSOYfu6kPln8rMuMVUxkTgEP2LIUozABMOjD455W4C0RCByyZK5RUT5DfbMcW23v1SbJaQjHBFs4SJ /VFCssqh9Ux6VfkjJCgNIPCfcidSufIjTO1CsnfoVv5NCrQ3cZuMiym56rUt3IORLGZWSKmkm7E3cnUL dRNPLNln+3jjABHpbdoaTKKAyrWhKGewhAkoFv3oSvrlJpxwK8h8own9G50uSVWusxSC9SXrZXCUPBTX iGjV7Ti5+smyrkgMjs/3bCsBqTcAB+iufthhCSY22Qz5hB2iIU7HpDuwtNXL97Qm29EFm2PlGBdkdw7k eZ4R9WsZxC8QkPoEhl8DRCKS1Z5LKof7k5kwxFouJhhO9MC9U+kpnpRD0KU4FVqEyas0kJP/wClCgfcC fQnD8/iPd2fzT86+6EMFSv6L1jUgWjZMZvVwRb90PTtZNWt5C4ZaTglHF5Xi7pAyn5OV+qvy1KJXPLbp cgJ9EgYKGd4ZUebJJHsuYP10dESQwZGD9gh6idW8BwliZ3n14DaJmzahU3A8SRjcCvOiuLP2Jyb+HadB e1APMOr9GtocsnsAFXG3X0F0l1bkQ1+Lr31maE/TC8C3B05v0TLKJNYKrdp6FEuSUnJOPAx8TSEmOvlt kQ4JomZmQagVN3GsKnIv8fvaRWsqqpgwlCIef5AY/TjKrdffLpznDpCe0Ajxk831IA1Wf76no94t2MM1 LRbMb+/RUjVE8snN9ulhwNI3Gdn0NyZ2L6WT0Ssrs9WHWyflMzjTkVlEahymkomc9gWnIs76Kws6am/U HBYymR6oZO+KW4JLKinsWCu+6LdHYMdGqYL/AngdvmLj4YGeeXSwJN8zAX67XCM1R38LsBE59UFDqmFH 32tV6qzZyaEq4fFj8v8pav/YNq4mDuKcPD+v/N+gFSdmNOOyJ01yq9wIyJgmNgTshrrtrWr++r0UtXgj +rgpsnuxgmZ2K/iEBs7094OffKXm6BtdHuGG1Jx5frGzlAylL95KbZw8VES1jms2bOXrz9VW4wh2KtKj c3OGppVISYKOq9j8qOYmCP4gberevpv8ruNj84rMmQRvHXPxPFa8Go3pqSOinpflPoW7Ir6JqGJnxfh7 zYNdowFSIgDaJAmlzGCNpxuF1qDscPjsKm/G0Xt6Dq8Qvi31BnzyykgbYwgbOgAwIBA6KBqwSBqOFbWU +0e8qVchB68/VaDqsaMtH9oe79k4miARiNOI3WVoWAdbuH7a6MbHljmUyCJxP66pQoAe2pilq0nravEj 3PdexVt0w6Nea6gcPKKDYYhT81a7h6q5N4zEzlq1sxHDAKYa57lXDITIZwKf6E3WMKWT4Drp74H5Ypy1 oLaASKvKDNYGSOkzuhDCNDlMX97Pj5I2Hl+KCjR2rlwJ7sIWp+OkQT+iT6KA==

=

YDsGCSqGSIb3EgECAgIBAAD/////52erK0AthV rAXmHhq6n9kdmVu6piCwZCAQEAAG5laWxqBwcHBwcHBw==

<stream:stream to=“communications1.pabbs.local” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

spark

zlib

<stream:stream to=“communications1.pabbs.local” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

Can you send the raw packets for when the second user attempts, but fails?

Here’s Raw Sent on the second user:

<stream:stream to=“communications1” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“communications1.pabbs.local” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

YIIFEgYJKoZIhvcSAQICAQBuggUBMIIE/aADAg EFoQMCAQ6iBwMFAAAAAACjggQtYYIEKTCCBCWgAwIBBaENGwtQQUJCUy5MT0NBTKIuMCygAwIBAKElMC MbBHhtcHAbG2NvbW11bmljYXRpb25zMS5wYWJicy5sb2NhbKOCA90wggPZoAMCARehAwIBEKKCA8sEgg PHs73SLCr+DjZPJTqMFtC6OYRrORYUOXQx+EJH0aEhjNpSXHPRlygHaE52966LQfNxvcZQEvG26YuTB5 BT/e0LESwHyCl6/G6JtzOirECpeAjvHccLs4o15tg0q0af90d+9C+dNx786p1p1/b0U72fviqTb2RA06 /S4Lavr/2+NnRz/YH3c6OtqYVCU33+Ql2AVMjGGMCEcx8469sgEZMlaoj3+bSyfiAwvsQTt+f60LjNRi lXTI6YNORh1qSpIafFNvaHS1spUt6zi3myM8EeqPAL3GMtUONoC5loA3IXnxE32Jv+HR1fh7FeDsYmD3 m5Jxn3u3YMPD6Qc5JUQi/XpLVL/TLoCilAUzgV3tm9Nd6lbtbd+5BRwuRd+zEcptY9DLXpgfMDZugSfz QnB2+ee18zJJ02VuEZb6ni43w9oJ/aCEiJgvYiSrEFTQ2u7GvbLeDmBWKgHT8EqkL2lWGbAs0DVfFa6Y PBACWhyHr5N9VoDSX+Vwr6vzrKydghMfB7RpJUcXNq5B74ZPGTg4ldcjyrduL6MACBP+L7/ns1Au5UgE 8Ws+4qS/ft8l2Rxw2b749evQ+nk7K76b5JYaGK1RILIDL86fFCm/vsWTDTqxIOcNjIZKBYPknRiWqGUg 6DbBUGtfnBv5UnG6yhcrRR1a9pcYZBK2ma3APWp28AmdJUphZ+vgZ1e2LNLPk5w+Bzi4q0wKVdUjauw3 cl9/c3UOBnlQM4ypzqwAQJVIQq6rB6dNEwi6S4Ao8tTsDW98Kx4OnOBjdOAP29AcafE+tE0EXk2HhZev m1HhHiDsjB7ZlyXLuGYqGrAgpLPe1+aDtx1cdaOKmQSltWT9at4cXtgCblZaWbD8NgnzYcVwVm59CPH8 P0XJFOsoGW3UJJmkLT8ZTEMTwcIeF0ZnTC8IkgdkrXZBKI9UPjk/I61x5cDSrolkRMB2VcM8qrCizwvh /PpmxoECx93QqS+tuTERDCk+hHcwJfecqBgd9//gFaUJ/ZEP8HSQBY4ObCmigRYeV5G0Mj6Kz/asWzju JUx8gcm1dMxwEb9wOJWRUI2x/u9PZxaMxpnGMO/VUOfLxCyrh9CbVcfQ0FZJc2ZNL5zjaVpY2ibBrIDK mHKN7ILIuLmaDy141YrLDwz+zDW9zvkPm2wl3rMAvrWCQPrv9MZCU7BrmD2xethiQzsCzBI96Nlhoz/c 4Bbp0b4nKu1b7j9QZe4NS25sFfKw7XMgk9rZMLjTlW9aE0zfwtxpftyxd2JCHZmdFLME7VohGhho7Znk lufUzn5XkbGaSBtjCBs6ADAgEDooGrBIGoxrMz9W5taTjAOs7ixpJW0xEcQrCSDYpmZkXRQP2Uf1ByDY mMdX2MXaMU3kF8Fhwy00QJDYpd9NI/f+HgSHZtnefvjcWqFCmVdptXhxPT1fGIqsiDQXPmurRYz8Rzd7 Uc7xOyjMIbG0oPauAanc2YRDI7b/kvcg4rRsRNROUxRQ2LUF1PJivHg8dOChpJzxF5QLLFTsxEiKz1pq BhOLJEbGnOjzow+/p+

=

YDsGCSqGSIb3EgECAgIBAAD/////xg0BUD8Cgp oet4xXOkJlt06Tf2aq4RzeAQEAAG5laWxqBwcHBwcHBw==

and here’s Raw Received:

stream:featuresGSSAPIPLAINzlib</stream:features>

=

YDMGCSqGSIb3EgECAgIBAAD/////O+Wk1iCwPt e8yJKWW4A+zoURFY/kBnxeAQEAAAQEBAQ=

Does anyone have any recommendations or any logs or other output that they’d like to see, to chime in on this?

I won’t bump this to death, but this post has been sinking, and I figured I’d give it one more try before I gave up.

I dont know Windows well, and Terminal Server stuff just adds more complexity. I wonder if java is getting confused about credentials. Not sure how to go about checking that, though. Java (I think maybe only in the SDK) has a klist command- what does that show for either user?

The native Kerberos implementation in Server 2008 has a klist command, and when I run it under my account, it displays my current tickets, none of which show an xmpp spn. Should there be one? Also, does it make a difference if I use the native klist versus the one that was bundled with Java?

The native klist will not show an XMPP spn, since java dosnt retain the ticket after obtaining it. And the native client will give the correct creds, because if it didnt all sorts of other things would be broken. Im curious what java is saying, if the klist command can even read that ticket cache- it may not be able to.

OK, I think we’re getting somewhere now. The native klist does show my credentials. When I run Java’s klist in /bin, it says “Credentials cache not found”, and it’s looking for a file/folder named krb5cc_*myusername. *Java is looking for it in my Desktop folder.

This looks to be at the heart of the problem.

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6519127

If I execute klist, the one in my C:\Program Files\Java\jre1.6.0_07\bin, the error reads:

Credentials cache \my.domain\users\settings\DESKTOP\krb5cc_myusername not found.

We are using roaming profiles, and folder redirection for things like documents, home folders, desktop files and folders, etc.

Shouldn’t klist be trying to view my tickets in c:\Users\myusername? If I run “echo %userprofile%” at a command prompt, that’s the path that displays.