Product: TIBCO Spotfire®
NTLM authentication fails after application of Microsoft hotfix KB3002657.
NTLM authentication fails after applying Microsoft hotfix KB3002657. This will be seen in clustered Spotfire Server environments where the NTLM account is shared between multiple servers, but can be seen in any NTLM configuration that utilizes the localhost-netbios-name parameter.
NTLM authentication fails with an error resembling the following:
DEBUG 2015-06-05T14:00:39,496-0400 [unknown, #7] server.security.NtlmAuthenticator: NTLM authentication error jespa.security.SecurityProviderException: NETLOGON failure at jespa.ntlm.NtlmSecurityProvider.authenticate(NtlmSecurityProvider.java:1397) at jespa.ntlm.NtlmSecurityProvider.acceptSecContext(NtlmSecurityProvider.java:1174) at com.spotfire.server.security.NtlmAuthenticator.authenticate(NtlmAuthenticator.java:335) at com.spotfire.server.security.AuthenticationManager.doAuthenticate(AuthenticationManager.java:145) ... Caused by: jcifs.smb.SmbException: Logon failure: unknown user name or bad password. at jespa.ntlm.Netlogon.validate0(Netlogon.java:629) at jespa.ntlm.Netlogon.validate(Netlogon.java:713) at jespa.ntlm.NtlmSecurityProvider.authenticate(NtlmSecurityProvider.java:1390) ... 53 more
If Microsoft hotfix KB3002657 is removed from the Domain Controller used in the NTLM configuration, then the authentication will succeed.
In March 2015, Microsoft released hotfix KB3002657, which permanently broke the localhost-netbios-name functionality in the bundled Jespa component that Spotfire uses for NTLM authentication. Consequently, the localhost-netbios-name configuration property in the NTLM configuration is not allowed any longer and must be removed.
Remove the localhost-netbios-name parameter from your NTLM configuration. If you have a shared NTLM account used by multiple Spotfire Servers, then you must now use a separate NTLM account for each server.
The Spotfire Server Installation and Configuration manual references two options for configuring multiple Spotfire Servers with NTLM authentication:
- URL: https://docs.tibco.com/products/tibco-spotfire-server/
- Chapter: To configure NTLM for a cluster with multiple servers
"Sometimes, like when running two servers on the same computer, it happens to be possible to actually share the NTLM account by explicitly specifying individual localhost NetBIOS names that are used instead of the name derived from the NTLM account.
- If separate NTLM accounts are to be used, then use the account name and password options to specify the server's own NTLM account.
- If a shared NTLM account is to be used, specify the account name and password for the shared account, as well as a unique localhost NetBIOS name. The localhost NetBIOS names must not exceed 15 characters."
The shared NTLM account method described above is no longer valid after application of Microsoft hotfix KB3002657.