Spotfire Server: Kerberos: NegoTokenTarg : did not have the right token type

Please refer to this articles parent page for more information.

The following error maybe seen in the Spotfire server.log

server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : SPNEGO NegoTokenTarg : did not have the right token type)
        at sun.security.jgss.spnego.NegTokenTarg.parseToken(NegTokenTarg.java:179) ~[java.security.jgss:?]

The error could be seen for these possible reasons

1) The workstation browser does not trust the spotfire URL. Make sure the spotfire URL is listed under Local Intranet in Internet Options. This is located under the Security section.

A kerberos token is only sent by the browser (Edge or Chrome) to the site when it is listed  under Local Intranet.

2) The encryption types listed under krb5.conf are inconsistent with what the service account in windows supports. E.g. the account in windows may only support AES-128 yet AES-256 encryption is being requested

krb5.conf

default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts

3) The spotfire keytab file does not have an encryption type consistent with the service account or krb5.conf

Another source of inconsistecy may be the encryption type used in the kerberos keytab file. To check this run the following command:

(BASE DIR)\jdk\bin\ktab.exe -l -e -t -k (BASE DIR)\tomcat\spotfire-config\spotfire.keytab

If you find this error perists please contact Revvity Signals Support for further assistance.