15 Replies Latest reply on Dec 5, 2015 1:33 PM by speedy

    Openfire+Spark+SSO not worked

    Robert

      Hey,

      I have a problem connecting  spark (v. 2.7.3) to the Openfire server by SSO.

       

      I tried all the recommendations of these links:

       

      1.     https://community.igniterealtime.org/docs/DOC-1060
      2.     https://community.spiceworks.com/how_to/13930-openfire-enable-single-sign-on-sso -on-linux
      3.     https://community.igniterealtime.org/docs/DOC-1522
      4.     https://community.igniterealtime.org/docs/DOC-1060
      5.     https://community.igniterealtime.org/thread/51154
      6.     https://community.igniterealtime.org/docs/DOC-2585

       

      and nothing :-(

       

       

       

      My environment is:

       

      KDC (AD) on Windows server 2003

       

      Openfire server on CentOS 7

       

      Hosts wirh Spark Windows XP, 7 , 8.1

       

       

       

      My openfire.xml looks lik that:

       

       

       

      <?xml version="1.0" encoding="UTF-8"?>

       

       

       

      <!--

       

          This file stores bootstrap properties needed by Openfire.

       

          Property names must be in the format: "prop.name.is.blah=value"

       

          That will be stored as:

       

              <prop>

       

                  <name>

       

                      <is>

       

      <blah>value</blah>

       

                      </is>

       

                  </name>

       

              </prop>

       

       

       

          Most properties are stored in the Openfire database. A

       

          property viewer and editor is included in the admin console.

       

      -->

       

      <!-- root element, all properties must be under this element -->

       

      <jive>

       

        <adminConsole>

       

          <!-- Disable either port by setting the value to -1 -->

       

          <port>9090</port>

       

          <securePort>9091</securePort>

       

        </adminConsole>

       

        <locale>pl_PL</locale>

       

        <!-- Network settings. By default, Openfire will bind to all network interfaces.

       

            Alternatively, you can specify a specific network interfaces that the server

       

            will listen on. For example, 127.0.0.1. This setting is generally only useful

       

             on multi-homed servers. -->

       

        <!--

       

          <network>

       

              <interface>192.168.0.1</interface>

       

          </network>

       

          -->

       

        <!-- SPDY Protocol is npn.

       

              (note: npn does not work with Java 8)

       

              add -Xbootclasspath/p:/OPENFIRE_HOME/lib/npn-boot.jar to .vmoptions file    -->

       

        <!--

       

          <spdy>

       

              <protocol>npn</protocol>

       

          </spdy>

       

          -->

       

        <connectionProvider>

       

      <className>org.jivesoftware.database.EmbeddedConnectionProvider</className>

       

        </connectionProvider>

       

        <!-- sasl configuration -->

       

        <sasl>

       

          <realm>DOMAIN</realm>

       

        </sasl>

       

        <authorization>

       

      <classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList >

       

        </authorization>

       

        <setup>true</setup>

       

      </jive>

       

       

      My krb5.conf looks like that:

       

       

       

      [logging]

       

      default = FILE:/var/log/krb5libs.log

       

      kdc = FILE:/var/log/krb5kdc.log

       

      admin_server = FILE:/var/log/kadmind.log

       

       

       

      [libdefaults]

       

      default_realm = domain

       

      default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

       

      default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

       

      permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

       

       

       

      [realms]

       

      domain = {

       

        kdc = srv.domain

       

        admin_server = srv.domain

       

        default_domain = domain

       

      }

       

       

       

      [domain_realm]

       

      domain = DOMAIN

       

      .domain = DOMAIN

       

       

       

      My gss.conf in folder  /opt/openfire/conf looks like that:

       

       

       

            com.sun.security.jgss.accept {

       

            com.sun.security.auth.module.Krb5LoginModule

       

            required

       

            storeKey=true

       

            keyTab="/opt/openfire/spark.keytab"

       

            doNotPrompt=true

       

            useKeyTab=true

       

            realm="DOMAIN"

       

            principal="xmpp/srv.domain@DOMAIN"

       

            debug=true

       

            isInitiator=false;

       

         };

       

       

       

      Create on DC spark user,  with options "Unable to change password", "Password never expires" and "Does not

       

      require Kerberos Preauthentication"

       

       

      For spark create Kerberos XMPP SPN on DC

       

      setspn -A xmpp/srv.domain@DOMAIN spark

       

      setspn -A xmpp/srv.domain spark

       

      setspn -A xmpp/srv spark

       

       

       

      For spark create map Kerberos XMPP SPN on DC,

       

      ktpass -princ xmpp/srv.domain@DOMAIN -mapuser spark@domain -pass * -ptype KRB5_NT_PRINCIPAL 

       

       

       

      Create spark.keytab file on DC

       

          ktpass -princ xmpp/srv.domain@DOMAIN -mapuser  spark@domain -pass * -ptype KRB5_NT_PRINCIPAL -out

       

      spark.keytab

       

       

       

      Copy spar.keytab to srv.domain with openfire server to folder /opt/openfire and change owner and permision

       

       

       

      I set on my hosts

       

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters 

       

      Value Name: AllowTGTSessionKey 

       

      Value Type: REG_DWORD 

       

      Value: 1 

       

       

       

      On the host with Windows XP I have that error in spark logs:

       

       

      WARNING: Exception in Login:

       

      SASL authentication failed:

       

        -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid

       

      credentials provided (Mechanism level: Server not found in Kerberos database (7))]

       

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

       

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

       

          at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

       

          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

       

          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

       

          at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

       

          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

       

          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

       

          at java.lang.Thread.run(Unknown Source)

       

      Nested Exception:

       

      javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided

       

      (Mechanism level: Server not found in Kerberos database (7))]

       

          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

       

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

       

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

       

          at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

       

          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

       

          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

       

          at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

       

          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

       

          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

       

          at java.lang.Thread.run(Unknown Source)

       

      Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database

       

      (7))

       

          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

       

          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

       

          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

       

          ... 10 more

       

      Caused by: KrbException: Server not found in Kerberos database (7)

       

          at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

       

          at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

       

          at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

       

          at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

       

          at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

       

          at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

       

          ... 13 more

       

      Caused by: KrbException: Identifier doesn't match expected value (906)

       

          at sun.security.krb5.internal.KDCRep.init(Unknown Source)

       

          at sun.security.krb5.internal.TGSRep.init(Unknown Source)

       

          at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)

       

          ... 19 more

       

      On the host with Windows 7 nad 8.1 I have that error in spark logs:

      AM org.jivesoftware.spark.util.log.Log warning

      WARNING: Exception in Login:

      SASL authentication failed:

        -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

          at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

          at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

          at java.lang.Thread.run(Unknown Source)

      Nested Exception:

      javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

          at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

          at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

          at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

          at java.lang.Thread.run(Unknown Source)

      Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

          at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)

          at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

          at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

          at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)

          at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)

          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

          ... 10 more

      Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication

          at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)

          at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

          at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

          at java.lang.reflect.Method.invoke(Unknown Source)

          at javax.security.auth.login.LoginContext.invoke(Unknown Source)

          at javax.security.auth.login.LoginContext.access$000(Unknown Source)

          at javax.security.auth.login.LoginContext$4.run(Unknown Source)

          at javax.security.auth.login.LoginContext$4.run(Unknown Source)

          at java.security.AccessController.doPrivileged(Native Method)

          at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

          at javax.security.auth.login.LoginContext.login(Unknown Source)

          at sun.security.jgss.GSSUtil.login(Unknown Source)

          at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)

          at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

          at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

          at java.security.AccessController.doPrivileged(Native Method)

          ... 17 more

       

       

      Please help me with that. I spend last 3 weeks on that and drive me crazy ;-(

      Sorry for may bad English, google translator ;-)

      Regards

      Robert

       

          • Re: Openfire+Spark+SSO not worked
            Robert

            Thank you for your reply, bat I tried this solution.

              • Re: Openfire+Spark+SSO not worked
                speedy

                looking at everything you posted, it doesn't look like you followed the guide I recommended.  Please try again from the beginning. This include deleting and recreating your AD user

                  • Re: Openfire+Spark+SSO not worked
                    Robert

                    Now I get this erro:

                    lis 17, 2015 2:48:44 PM org.jivesoftware.spark.util.log.Log warning

                    WARNING: Exception in Login:

                    SASL authentication GSSAPI failed: not-authorized:

                        at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 342)

                        at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

                        at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

                        at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

                        at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

                        at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

                        at java.lang.Thread.run(Unknown Source)

                     

                    What I do:

                    1. Delete old user "spark" and create new user "sparkuser"

                    2. Fild xmpp.domain set to DOMAIN (when I have this fild set to "srv,domain" I can't login to openfire server configuration page with domain user)

                    3. Map spn to user "sparkuser" with setspn -A xmpp/domain@DOMAIN sparkuser

                    4. Of course create new keytab that I copy to server with openfire

                    5. I changed in gss.conf fild  principal to "xmpp/domain@DOMAIN"

                     

                    And I went one step forward or backward? ;-)

                    Please help.

                    Regards

                    Robert

                      • Re: Openfire+Spark+SSO not worked
                        speedy

                        what version of java are you running on your openfire server?  did you set a xmpp.fqdn property?

                          • Re: Openfire+Spark+SSO not worked
                            Robert

                            Java on openfire server is 1.7.0_79 Oracle Corporation -- Java HotSpot(TM) 64-Bit Server VM.

                            I set xmpp.fqdn to  szgap01.srzg .

                              • Re: Openfire+Spark+SSO not worked
                                speedy

                                please try this..on the windows 2003 domain controller, reset the password on your "sparkuser". Don't change the password though..use the SAME password

                                  • Re: Openfire+Spark+SSO not worked
                                    Robert

                                    I reset the password on "sparkuser" (I use the same password) and I got the same error in spark log. Some other ideas?

                                      • Re: Openfire+Spark+SSO not worked
                                        speedy

                                        the next thing I might do is try to recreate the keytab using java ktab

                                         

                                        If that doesn't work, then next would dive into wireshark to look at the packets to see whats going on there. 

                                          • Re: Openfire+Spark+SSO not worked
                                            Robert

                                            Hi,

                                            partially solved the problem. I upgrade openfire server to version 3.10.3, set new spn map to user "sparkuser":

                                            setspn -A xmpp/srv.domain@DOMAIN sparkuser and setspn -A xmpp/srv.domain sparkuser

                                            and now my spn map to spark user loks like that:

                                            xmpp/srv.domain@DOMAIN

                                            xmpp/srv.domain

                                            xmpp/domain@DOMAIN

                                            xmpp/domain

                                            After that my host whit Windows XP can now login with SSO but my host with Windows 7 and 8 have this error in spark worn log:

                                            org.jivesoftware.spark.util.log.Log warning

                                            WARNING: Exception in Login:

                                            SASL authentication failed:

                                              -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

                                                at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

                                                at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

                                                at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

                                                at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

                                                at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

                                                at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

                                                at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

                                                at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

                                                at java.lang.Thread.run(Unknown Source)

                                            Nested Exception:

                                            javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]

                                                at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

                                                at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

                                                at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

                                                at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

                                                at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

                                                at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

                                                at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

                                                at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

                                                at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

                                                at java.lang.Thread.run(Unknown Source)

                                            Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))

                                                at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)

                                                at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

                                                at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

                                                at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)

                                                at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)

                                                at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

                                                at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

                                                ... 10 more

                                            Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication

                                                at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)

                                                at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

                                                at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

                                                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                                                at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

                                                at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

                                                at java.lang.reflect.Method.invoke(Unknown Source)

                                                at javax.security.auth.login.LoginContext.invoke(Unknown Source)

                                                at javax.security.auth.login.LoginContext.access$000(Unknown Source)

                                                at javax.security.auth.login.LoginContext$4.run(Unknown Source)

                                                at javax.security.auth.login.LoginContext$4.run(Unknown Source)

                                                at java.security.AccessController.doPrivileged(Native Method)

                                                at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

                                                at javax.security.auth.login.LoginContext.login(Unknown Source)

                                                at sun.security.jgss.GSSUtil.login(Unknown Source)

                                                at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)

                                                at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

                                                at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)

                                                at java.security.AccessController.doPrivileged(Native Method)

                                                ... 17 more

                                             

                                            please help

                                            Regards

                                            Robert

                                            • Re: Openfire+Spark+SSO not worked
                                              Robert

                                              I have another strange things:

                                              1. When I login with regulr domain user on host with Windows XP, 7, 8 I can login to spark with SSO.

                                              2. When I login with admin domain user (I am that user), on Windows XP I can log on bat on Windows 7 and 8 can't. Whay?

                                                  On Windows 7 and 8 with admin domain user when I log on to spark in fild "Account" I dont have "user@DOMAIN" and spark in SSO option says : spark can not  find the general settings for Single Sign-On.

                                               

                                                • Re: Openfire+Spark+SSO not worked
                                                  speedy

                                                  that sounds like a uac issue.  try running spark "as adminitrator"

                                                    • Re: Openfire+Spark+SSO not worked
                                                      Robert

                                                      Yes! Yes! Yes! Yuuupi this work

                                                      I run spark on my admin domain user "as administrator" and it's login.

                                                      Thenk You for help.

                                                      Now I have one last question, maybe stupit, but can I set in this thread two good answer?

                                                      First good answer is link that You send me, second "run as admin".

                                                      Thank you again.

                                                      Regards

                                                      Robert

                                                      • Re: Openfire+Spark+SSO not worked
                                                        Mažvydas

                                                        Our company's domain users all have limited rights and running Spark with non-elevated rights results in not catching login credentials, hence SSO simply wouldn't work. We configured Spark to depend on krb5.ini and not DNS config. Running Spark as admin by administrative privileges granted user works, but only that. I couldn't find an answer here and I noticed some folks have stumbled upon this issue themselves, so after a bit of researching and testing, here is what I came across:

                                                        To make Spark run under limited rights and make SSO work, you've got to bypass UAC. To do so, you have to create a Scheduled Task which runs once. Please note, path-to-spark-install-dir might be different than the one I post, so edit it according your preferrences. Using Command Prompt:

                                                         

                                                        schtasks /create /tn Spark /tr C:\Spark\Spark.exe /sc ONCE /RL HIGHEST /st 23:00:00

                                                        If you have multiple users sharing the same PC, Scheduled Task will have to be updated with /RU switch

                                                        Now we need to execute it

                                                        Create a shortcut (*.lnk) and insert the following command:

                                                        C:\Windows\System32\schtasks.exe /run /tn "Spark"

                                                         

                                                        Run the shortcut and test. I have tested in Windows 8.1/Windows 10 Pro environments, latest Spark client. Computers joined to domain.

                                                         

                                                        Another advice is to install Spark somewhere outside Program Files system folder (for eg. C:\ or another drive) to prevent occurrence of possible UAC issues.