HELP needed: AD/SSO Integration of Spark 2.6.0 RC2

Hi

any help and test results for RC" in connection with AD/SSO are highly welcome. I suspect that RC2 is not working with AD and I would need a report about that.

Walter

Hi, I`ve just tested Spark 2.6.0 RC2 with AD/SSO, we have no problems. Settings SSO via gssapi, advanced, use DNS.

Can you check, if Spark works well after a password change in Windows? There is a report that this functionality is broken.

Unfortunataly till the end of the next week Im out of office. I dont know, if I have good understanding SSO in Spark, but it only cheks your credentials in AD. We dont use passwords, we have tokens and as I said before, it works without problems. I tested this settings with more than ten users, it works after adding apriopriate registry key, without windows reset. Ill check changing passwords on test user and let you know about test results. If you have more questions I can help .

I checked this problem with passwords on test user. After I change a password, old one still worked. After maybe 5 minutes I was unable to use an old password and now it doesnt work at all. Im not an expert in AD but maybe a password change takes time.

Can you check, if the OF server has registered the new password. If I understand the technical solution correctly, it is the server that takes care about the AD integration and not die Client.

The new password works. The Openfire server takes care about the integration and in this example it reads user and passwords from the AD database. In my opinion there is some sort of cache in the openfire server and it takes time to refresh a new password. This is why I could login the old password and the new one simultaneously. After 5 minutes the old password has stopped working and I use the new password.

Hello,

We haven’t been able to make the SSO working (with all OF/Spark realeases) for the last few years (2~3)…

The Spark sees the principal, the realm and the KDC correctly (currently - OF 3.7.0 with AD 2003 users integration), but reports an error - “check your principal or server settings”…

Note: We are using a single label domain…

Any advise would be highly appreciated…

First question: “The Spark sees the principal, the realm and the KDC correctly”, what does it mean? Connectivity?

the Principal (User Principal Name) = recognizes the desktop user and puts it into the login form.

the Kerberos Realm = the so called domain name

KDC = Key Distribution Center - a Domain Controller

The realm and the KDC are automatically listed under the “Advanced Connection Preferencies” (SSO Tab).

The connectivity to all of the servers is fine… we are having the AD users working with user/pass for years…

I suppose the openfire server is WIN system. Key points are dns, time, keytab, openfire.xml, and gss.conf. Could you send your gss.conf and openfire.xml, which you use to make SSO working.

Well, let’s leave the topic… We are running the OpenFire on Ubuntu… It appeared that our investigation hasn’t been performed correctly…

We will investigate the situation much deeper when we have the time.

Thank you for your time so far.