Spark appears to fallback to jabber:IQ:auth when GSSAPI is offered by the server, but can't be used. GSSAPI/SSO usually can not be used when the Kerberos server is unavailable or the client can not get a ticket ( ie client off the internal network). This is a problem because non-sasl authentication methods have been removed from openfire core starting in 4.1, and appears to have been removed from new version of smack.
In openfire if sasl.mechs is set to PLAIN,GSSAPI
In Spark, when SSO is selected, spark will authentication and use GSSAPI.
When SSO is not use, or can not be used because the Kerberos server is not available; the user should be able to disable SSO from spark, and authenticate using PLAIN. However when trying to do so authentication fails.
In Openfire, if sasl-mech is set to only PLAIN, than Spark with authenticate with only username and password as expected.
When using spark with smack3, and OF 4.02 sasl.mech set to PLAIN, GSSAPI; if SSO fails, a user can still authenticate after disabling SSO within Spark, and use their username and password (although using jabber:IQ:auth)