Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Kerberos authentication fails on TIBCO Spotfire Server when RC4-HMAC encryption type is used

Rich Talbot
Product:TIBCO Spotfire Server
Versions:12.0 and higher

Summary:
Kerberos authentication fails on TIBCO Spotfire Server when RC4-HMAC encryption type is used

Details:

When the TIBCO Spotfire Server is upgraded to version 12.0 or newly installed and RC4-HMAC encryption type is used in krb5.conf file and keytab, the Spotfire Server application will fail to start, and the following errors are seen in the server.log:

[*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'kerberosCredentialsManager' defined in class path resource [applicationContext-tss-is-common.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.KerberosCredentialsManager]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal

ERROR 2022-09-17T12:22:17,719-0400 [unknown, #B-101, #270] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : SPNEGO NegoTokenTarg : did not have the right token type)

ERROR 2022-09-17T12:22:12,950-0400 [unknown, #B-20, #87] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled)

Caused by: sun.security.krb5.KrbException: Encryption type RC4 with HMAC is not supported/enabled

Caused by: sun.security.krb5.KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:1015) ~[java.security.jgss:?]

This is because Spotfire 12.0 is bundled with Java SE Development Kit 17. The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default in Java 17. Therefore, after upgrading from an earlier working version with RC4-HMAC encryption type where that encryption was enabled to Spotfire 12.0, Spotfire will not fail to start. Please refer to the Java 17 release note.



Resolution:

To resolve, you need to use AES-128 or AES-256 encryption types while creating the keytab and configure krb5.conf with below encryption types:
default_tkt_enctypes = aes128-cts,aes256-cts,
default_tgs_enctypes = aes128-cts,aes256-cts

Also make sure AES-128 and AES-256 are enabled on the service account created for the Spotfire Server and Node Manager.

    Related articles