Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Delegation to Node Manager fails with error: "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)"

Rich Talbot
  • Updated
Date Posted:
Product: TIBCO Spotfire®

Problem:

Delegation to Node Manager fails with error: "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)"


Solution:

Symptoms:

Kerberos Delegation to the Node Manager fails and "Internal Server Error" is received on the UI while trying to open an analysis.
Below error is returned in the <Spotfire Server Install>\tomcat\logs\server.log file
======================
 No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)
======================
  This error is generally received if the KRB5.conf doesn't have a correct domain or cross-domain information. Below are some possible causes and their solutions:
 
a) To check if domain is correct or incorrect- 

  1. Open the krb5.conf from  <Spotfire Server Install>\jdk\jre\lib\security\ for Spotfire Server 10.2 and lower and <Spotfire Server Install>tomcat\spotfire-config for 10.3 and higher
  2. Make sure that the Krb5.conf has the correct domain realm information e.g 
========
[libdefaults]
    default_realm = TSSTEST.LAB
    default_keytab_name = spotfire.keytab
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    forwardable = true

[realms]
    TSSTEST.LAB = {
        kdc = tsstest.lab
        admin_server = tsstest.lab
        default_domain = tsstest.lab
    }

[domain_realm]
    .tsstest.lab = TSSTEST.LAB
    tsstest.lab = TSSTEST.LAB

[appdefaults]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true

========

b) When multiple domains are used and if krb5.conf file misses the multiple domain information:
Refer to the below KB article for detailed example on krb5.conf file
https://support.tibco.com/s/article/Configuring-krb5-conf-when-setting-up-Kerberos-authentication-across-multiple-domains

c) When cross-realm authentication is used, and the krb5.conf file misses the information required for the redirection. Review the below link for more information on how to set the paths:
https://docs.oracle.com/cd/E19253-01/816-4557/setup-87/index.html


  https://legacy.gitbook.com/book/steveloughran/kerberos_and_hadoop/discussions/1

Related articles