Spark - Windows 10 UAC - SSO - Standard Users

Scott_Smith · June 10, 2016, 8:39pm

I am starting to test Windows 10 in our environment, and I am having a bit of trouble getting Spark to run with SSO for a user who is not a local administrator.

If I double click the icon, Spark runs without UAC notifications but without SSO.

If I right-click and ‘Run as Administrator’, UAC immediately prompts for Admin credentials.

If I disable UAC, Spark works with SSO but I lose the ‘Metro’ apps (Edge, weather app, etc…)

If I add the user to the local administrators group, ‘Run as Administrator’ works with SSO… even with UAC enabled.

As it appears, I would need to make the users a local admin to get SSO working, or completely disable UAC (which kills Edge, calculator, etc…)

Is there any way to get around this?

Scott_Smith · June 14, 2016, 6:09pm

Since I have UAC completely disabled in my production Windows 7 environment, I never needed to create the following key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]

“AllowTGTSessionKey”=dword:00000001

Creating that key on the Windows 10 PC allowed SSO to function properly with a standard user.

Alexander_Kanakaris · July 19, 2016, 2:29pm

I can verify that when Credential Guard is enabled on Windows 10, Spark stops doing SSO (Unable to Detect).

The LSASS will not share the tokens with Java anymore.

Alex

Jason_Gaines · March 10, 2017, 3:38pm

Running Spark with SSO on Windows 10 as a STANDARD non-local admin user WITHOUT creating a scheduled task, or using a 3rd party solution.

Simple fix is to install the Spark client in the C:\Users\Public\Spark folder. Worked like a charm. No UAC pop up or having to use a 3rd party solution or any additional workarounds. I followed the 28 Steps to Single Sign On for Openfire XMPP Server on Windows Server 2012 R2 with Spark documentation to setup SSO. The UAC issue does not affect Windows 7 clients, only my Windows 10 clients (I do not have Win 8 or 8.1 clients to test with).

speedy · March 10, 2017, 3:50pm

Jason,

Can you try this…sign into spark with sso. Lock your desktop, unlock your desktop, exit spark, and try to sign back to spark using sso. Its been my experience that on lock/unlock the tgt cache is cleared and not refreshed on unlock. this causes spark to fail since no tickets are in the cache. Id like additional confirmation. thanks

Luis_Vazquez · March 10, 2017, 8:48pm

Hay… I’m actually Jason’s assistant and have been working along side him setting this up. I did what you said “Lock your desktop, unlock your desktop, exit spark, and try to sign back to spark using sso” and everything works fine. We are still doing testing on this. Will let you know anything we find out.

speedy · March 10, 2017, 9:47pm

i wonder if its because im a local admin to my machine. Guess I’ll test this. thanks for testing for me.

Luis_Vazquez · March 10, 2017, 10:01pm

In my case. Since Im am also local admin I always have to run it in admin mode but for the rest of the users in the organization, installing it in the Users/public folder removes the requirement for UAC prompt.

speedy · March 10, 2017, 10:50pm

im…id be interested in see your set up, as I’m not sure you are using kerberos for sso, but maybe “saved password”

would you do me yet another favor? pull up a command prompt and execute klist

leave the command window up, now lock your desktop. unlock and execute klist again. is your ticket cache empty?

Luis_Vazquez · March 13, 2017, 1:04pm

Its Kerberos and DNS.

I ran the Klist. From a list of 9 items it went down to 1 item but it did not completely clear out.

P.S. We just deployed it to about 100 computers and it is working perfectly so far. When the computer is locked the persons status is displayed as “Away”

Scott_Smith · March 13, 2017, 1:09pm

I just tested from my system - I went from 9 items to 0.

** Just tested from another PC, this time with a standard user account and not local admin. Same thing - I went from 6 items to 0.

speedy · March 13, 2017, 1:25pm

oops. I got my threads mixed up. I’ve been meaning to reply to this one! Spark SSO relogin errors after Windows 10 lock out.

Spark SSO relogin errors after Windows 10 lock out.

Scott_Smith · March 13, 2017, 1:29pm

I found this article which kind of confirms Speedy’s experience: java - Kerboros cached ticket deleted after using Windows lock screen - Stack Overflow

This explains what I thought was just a quirky issue within the new version of Spark… it didn’t really click that I was only seeing issues on the newer Win 10 machines I’ve deployed (I’ve only received a couple of calls on it though… generally they log into Spark first thing in the morning and remained logged in all day).

Scott_Smith · March 13, 2017, 1:34pm

If a mod can move all the comments from Speedy’s first comment on Mar 10, 2017 7:51 AM to that thread it would keep things cleaner.

However, I’m glad you accidentally did that, as it brought the issue to my attention.