Problem Description:
After Spotfire Server upgrade, existing Spotfire analysis files can fail to open in web browsers, while still opening without issues in Spotfire Analyst client. The following error is displayed to end users:
"The task could not be completed. Unable to open analysis <analysis-name>"
This problem can occur in Spotfire environments that are configured to use Kerberos authentication with delegation to Spotfire Node Manager nodes.
Additional Details:
As part of troubleshooting this issue, Web Player instance log file Spotfire.Dxp.Worker.Host.Debug.<instance-id>.log needs to be reviewed. If the following entries are found in this file, then the solution described below might be used to resolve this issue:
DEBUG;2024-10-19T19:41:56,657-04:00;191514111cAjQO;11;USR032474;caf1a1a3e8df5c87dbc4046f5691004f;Spotfire.Dxp.Worker.Services.Web.Analysis.AnalysisService;"Open analysis from library path '/shared-library-path/user-directory/example-analysis'
...
DEBUG;2024-10-19T19:41:56,798-04:00;191514111cAjQO;11;USR032474;caf1a1a3e8df5c87dbc4046f5691004f;Spotfire.Dxp.Worker.Services.Web.Analysis.WebAnalysisOpenHelper;"Creating new (interactive) analysis '/shared-library-path/user-directory/example-analysis 2146ee2a-679f-455d-a9c4-604c91d69e7c'...
...
INFO ;2024-10-19T19:42:02,510-04:00;191514111cAjQO;WorkThread 238_211;USR032474 WAT 13;caf1a1a3e8df5c87dbc4046f5691004f;Spotfire.Dxp.Services.Http.HttpRetryContext;"Cannot retry error in call to . System.UnauthorizedAccessException: Access to the path 'C:\Tibco\Tsnm\14.0.5\nm\services\webworker-62.0.19229.3148-de7c0550-8db9-4560-b4d0-703b965cdf35\Temp\4RbGntQB60CZQA8AIjUH9g\Library-6660\pbk6AeWlA0CvBl4-QWjwOQV91g0Q09oUGgCesNivbAgw.dxp' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at Spotfire.Dxp.Services.Library.LibraryService.<>c__DisplayClass39_0.b__0()
at Spotfire.Dxp.Services.WcfSoapService2.InvokeService[T](Func1 serviceMethod, String customMethodNameForLogging)
...
ERROR;2024-10-19T19:42:02,510-04:00;191514111cAjQO;WorkThread 238_211;USR032474 WAT 13;caf1a1a3e8df5c87dbc4046f5691004f;Spotfire.Dxp.Web.Prompting.PromptHandler+PromptItem;"System.UnauthorizedAccessException: Access to the path 'C:\Tibco\Tsnm\14.0.5\nm\services\webworker-62.0.19229.3148-de7c0550-8db9-4560-b4d0-703b965cdf35\Temp\4RbGntQB60CZQA8AIjUH9g\Library-6660\pbk6AeWlA0CvBl4-QWjwOQV91g0Q09oUGgCesNivbAgw.dxp' is denied."
Solution:
One common oversight during Spotfire Server upgrades is failing to set up access to Node Manager directory nm\services for end user accounts that are using the system. This requirement is discussed in the "Setting up Kerberos authentication on nodes" section of Spotfire Server administration guide:
https://docs.tibco.com/pub/spotfire_server/14.0.5/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/setting_up_kerberos_authentication_on_nodes.html
"All web client user accounts must be given permission to modify the folder nm\services. This permission allows the delegated users to read, write, and delete temp files."
A simple solution could be adding "Everyone" Windows group with Full Access to nm\services directory and restarting Node Manager service. If required, a more limited Windows user group can be used, but all Spotfire users that need access to Web Player client need to be included in this group.