Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Users unable to login to TIBCO Spotfire after setting up Kerberos authentication across multiple domains

Rich Talbot
  • Updated
Date Posted:
Product: TIBCO Spotfire®

Problem:

Users unable to login to TIBCO Spotfire after setting up Kerberos authentication across multiple domains


Solution:

After setting up Kerberos authentication across multiple domains for TIBCO Spotfire Server authentication (see Setting up Kerberos authentication on Spotfire Server), users who are part of service account's domain are able to login but not users from other domains. When users from other domains try to login, they get 'Could not log in. Please try again' error message and in server.log below log entries are seen.

DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.AuthenticationManager: Found HTTP header: Authorization Negotiate TlRM...
INFO 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.KerberosAuthenticator: NTLM token detected instead of Kerberos ticket, probably indicating a problem with the SPNs
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: User authentication failed: NTLM authentication scheme not supported DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: The request is configured for the KERBEROS authentication method
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: Requesting client to authenticate using the Negotiate authentication scheme
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: Returning from filter after requesting the client to authenticate and without passing on the request to the next item in the filter chain

These errors are seen when there is no trust or has one-way trust between domains.

  Two-way transitive trust between the domains is required for Kerberos delegation to work in this situation, so to resolve ensure that the two-way transitive trust is established.

Also, [capaths] section needs to be added in krb5.conf file if performing direct (non-hierarchical) cross-realm authentication. Review capaths to know about [capaths] in detail. Also refer to KB 000019098 with an example of krb5.conf to support users from multiple domains Doc: Setting up Kerberos authentication on Spotfire Server

KB: Configuring krb5.conf when setting up Kerberos authentication across multiple domains External: MIT [capaths]

Related articles