Keywords: kerberos delegation 22h2 web player
When running Spotfire in a Kerberos environment, Web Player data may fail to load after upgrading a Windows workstation to Windows 11 (22H2)
The error that may be seen in the Web Player log is :
ERROR 2022-11-14T16:55:32,063-0800 [user@example.com, #B-1557, #730144] wp.router.DelegatingStrategy: Kerberos login to webplayer.example.com failed org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13)))
This article explains what steps can be taken to resolve this issue.
Pre-requisites:
- TIBCO Spotfire server is running with Kerberos authentication
- The data being loaded into an analysis is being sourced from a database that requires the end user credentials via Kerberos. In other words, the current user is required to authenticate to the underlying data source.
By default there will be an attempt by the spotfire server to delegate end user credentials to the web player. This is done so that any data sources which require the end user credentials (and not generic service account credentials) can still be opened. The web player will pass these credentials on to the underlying data source.
However since Windows 11 (22H2), Microsoft Defender Credential Guard is enabled by default. What this means is that it's no longer possible to have unconstrained delegation to 3rd party daa sources. Delegation to data sources must be constrained to the precise service required.
Workaround 1
Disable Microsoft credential guard by altering the following registry keys:
Change the following registry settings to 0:
-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags
-
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
Workaround 2
Change the delegation property to constrained.
On the service account for the web player machine (i.e the acccount that runs the TIBCO Spotfire Node Manager service) change Delegation to specified services only.
Specifiy the services to which the web player can delegate credentials (service name/hostname)
Restart the web player, to clear any cached copies of the analysis
References and further information:
[1] Windows Keberos Delegation
[3] Considerations when using Windows Defender Credential Guard
Keywords: kerberos delegation 22h2 web player
Comments
0 comments
Please sign in to leave a comment.