I searched all over these forums without success before deciding to register and post the problem I'm having.
----Environment----
Server: Server 2008 R2 with OpenFire 3.7.1 installed, LDAP integration (working fine)
Clients: Windows 7 Professional 64bit, Spark 2.6.3.12555
I followed the instructions here: http://community.igniterealtime.org/docs/DOC-1060 to setup SSO,
verified it was working (deleted spark.properties, copied krb5.ini and registry settings, ran spark, advanced>>SSO>>enable, enter server and logged on without entering credentials)
I then went and customized spark, deleting the exit and logout menu items, as well as setting it up to automatically generate the correct information in the spark.properties file when run for the first time.
Tested it half a million times on a test machines with different user profiles ect.
Deployed to about 120 computers (repackaged with AppDeploy, pushed with PDQDeploy)
Now a bunch of users are reporting they can't login because they get the "Unable to connect using Single Sign-On." error, but most of the users aren't having any issues at all (and I've verified they are infact connecting with SSO)
I finally was able to reproduce the problem on a test computer (not being able to connect right after installing spark). However, nothing on the user/workstation side seems to fix it. I can uninstall my custom version of spark, purge the registry and filesystem of any traces, restart, re-install the unmodified version, copy krb5.ini and registry edits, turn on SSO and it still fails. Some times running "klist purge" and rebooting will resolve it. Most of the time it won't, some times logging the user onto another workstation will suddenly make it work, some times it won't.
When it fails there is nothing in the C:\Program Files (x86)\Spark\Logs\error.log file However, when I turn on Debug on the server side, I am able to capture this:
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] Data Read: org.apache.mina.filter.support.SSLHandler@1dfe254 (HeapBuffer[pos=0 lim=22 cap=64: 17 03 01 00 11 49 D5 9E 0C F7 FC C7 2F 45 88 BC 61 ED 4E 5D 50 A6])
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] unwrap()
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=22 cap=16665]
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 22 bytesProduced = 1
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] inNetBuffer: java.nio.DirectByteBuffer[pos=22 lim=22 cap=16665]
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] appBuffer: java.nio.DirectByteBuffer[pos=1 lim=33330 cap=33330]
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 0 bytesProduced = 0
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=1 cap=33330]
2013.02.27 09:33:16 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/192.168.1.238:49631] app data read: HeapBuffer[pos=0 lim=1 cap=1: 20] (20)
2013.02.27 09:33:16 org.apache.mina.filter.executor.ExecutorFilter - Launching thread for /192.168.1.238:49631
2013.02.27 09:33:16 org.apache.mina.filter.executor.ExecutorFilter - Exiting since queue is empty for /192.168.1.238:49631
From that log, it seems like something is going wrong server side, but I can't figure it out, because I can't seem to find any scenario where it always (or never) works!
Anyone have any clues, hints or ideas?
Anything at all would be greatly appreciated, if I can get it working, I'll post documentation on how I modified everything (since I've seen quite a few users asking how to do what I did) But if it doesn't work, well there's not really much point in posting a mod that breaks SSO....
Carl