Product: TIBCO Spotfire®
Delegation to Node Manager fails with error: "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)"
Symptoms:
Kerberos Delegation to the Node Manager fails and "Internal Server Error" is received on the UI while trying to open an analysis.
Below error is returned in the <Spotfire Server Install>\tomcat\logs\server.log file
======================
No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)
======================
This error is generally received if the KRB5.conf doesn't have a correct domain or cross-domain information. Below are some possible causes and their solutions:
a) To check if domain is correct or incorrect-
- Open the krb5.conf from <Spotfire Server Install>\jdk\jre\lib\security\ for Spotfire Server 10.2 and lower and <Spotfire Server Install>tomcat\spotfire-config for 10.3 and higher
- Make sure that the Krb5.conf has the correct domain realm information e.g
default_realm = TSSTEST.LAB
default_keytab_name = spotfire.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
[realms]
TSSTEST.LAB = {
kdc = tsstest.lab
admin_server = tsstest.lab
default_domain = tsstest.lab
}
[domain_realm]
.tsstest.lab = TSSTEST.LAB
tsstest.lab = TSSTEST.LAB
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
========
b) When multiple domains are used and if krb5.conf file misses the multiple domain information:
Refer to the below KB article for detailed example on krb5.conf file
https://support.tibco.com/s/article/Configuring-krb5-conf-when-setting-up-Kerberos-authentication-across-multiple-domains
c) When cross-realm authentication is used, and the krb5.conf file misses the information required for the redirection. Review the below link for more information on how to set the paths:
https://docs.oracle.com/cd/E19253-01/816-4557/setup-87/index.html
https://legacy.gitbook.com/book/steveloughran/kerberos_and_hadoop/discussions/1
Comments
0 comments
Article is closed for comments.