Product: Spotfire Server
Versions: TIBCO Spotfire Server 12.1.0 and later
Problem Description:
When Spotfire environment uses Kerberos authentication, end users might not be able to open Information Designer in the Spotfire Analyst client. A prompt for a password appears, but after entering credentials an application error is displayed:
Error message: Could not start Information Designer because the Information Services did not respond as expected.
InformationModelException at Spotfire.Dxp.Data:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was ''. (HRESULT: 80131500)
Resolution:
In Kerberos environment, when using Information Services as an external process (default in version 12.1 and above), Kerberos constrained credentials delegation needs to be allowed to this external service, the same way it is allowed to Node Manager nodes to get to the Web Player and other services.
The constrained credentials delegation needs to be allowed for the Spotfire Server service account (which was used to create keytab file) or the machine account of the Spotfire Server, depending on whether Spotfire Server service is running using service account or local system account.
In Active Directory account configuration of Spotfire Server service account (or machine account), the same Spotfire Server service account needs to be added as one of the destination services that this account is allowed to delegate to. This needs to be configured according to these instructions::
https://docs.tibco.com/pub/spotfire_server/14.0.6/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/enabling_constrained_delegation.html
Note, in step 7, the Spotfire Server service account needs to be added to the list for a successful delegation to Information Services process. This was not necessary in version 12.0 and earlier versions, because Information Services was not a separate process.
IMPORTANT: In some earlier versions of Spotfire Server, including 14.01 and 14.1, there is a known product defect that prevents Information Designer from opening as expected. If the above solution does not resolve this issue, then the following workaround should be used in order to force Information Services to run in-process within Spotfire Server, instead of running as external process:
1) Login to the Spotfire Server and export the configuration:
config.(bat|sh) export-config
2) Disable Information Services launching as a separate process:
config.(bat|sh) set-config-prop -n information-services.external-process.enabled -v false
3) Import the new configuration:
config.(bat|sh) import-config -c "Disabled IS launching as external process"
4) Copy all JDBC driver .jar files that are used by Information Links from <Spotfie Installation dir>\tomcat\custom-ext-informationservices\
to <Spotfie Installation dir>\tomcat\custom-ext\
directory.
5) Restart Spotfire Server process
Information Designer should now launch without a login prompt.