Product: TIBCO Spotfire®
Spotfire analysis files that use Kerberos delegation fail to open on iPad iOS web browsers.
Problem Summary:
On iPad iOS, all Spotfire users are not able to open analysis files that use Kerberos delegation to access external data connections (for example, SQL Server, SAP HANA, shared file system files, etc.). Other reports without external data access with Kerberos delegation open without issues.
On Windows OS, all users can access the same files using any web browser or Analyst client.
Environment:
Product: TIBCO Spotfire for iOS
Versions: All supported versions
OS: iOS 10 and higher
Authentication: Kerberos
Details:
The following log output appears in Spotfire Server's server.log:
DEBUG 2021-04-01T12:10:37,978-0400 [unknown, #B-82692, #16146766] server.security.KerberosAuthenticator: The service ticket for '[user]@[domain].com' is forwardable DEBUG 2021-04-01T12:10:37,978-0400 [unknown, #B-82692, #16146766] server.security.KerberosAuthenticator: No delegated Kerberos ticket found in the private credentials of [user]@[domain].com DEBUG 2021-04-01T12:10:37,978-0400 [unknown, #B-82692, #16146766] server.security.KerberosAuthenticator: Authentication handshake completed for principal '[user]@[domain].com' DEBUG 2021-04-01T12:10:37,978-0400 [unknown, #B-82692, #16146766] server.security.KerberosAuthenticator: Successfully authenticated user '[domain].COM\[user] with GSS credentials DEBUG 2021-04-01T12:10:37,978-0400 [, #B-82692, #16146766] server.security.SecurityFilter: The client is successfully authenticated ... DEBUG 2021-04-01T12:11:16,303-0400 [, #B-82692, #16147265] wp.router.DelegatingStrategy: No Kerberos ticket found in the subject's private credentials. Assuming constrained delegation ERROR 2021-04-01T12:11:16,381-0400 [, #B-82692, #16147265] wp.router.DelegatingStrategy: Kerberos login to [server] failed org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))) at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:453) ~[java.security.jgss:?] ... Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13)) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:773) ~[java.security.jgss:?] at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:316) ~[java.security.jgss:?] ... 108 more Caused by: sun.security.krb5.KrbException: KDC cannot accommodate requested option (13) at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:70) ~[java.security.jgss:?] ... 108 more Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) ~[java.security.jgss:?] ... 108 more DEBUG 2021-04-01T12:11:16,381-0400 [nguyenz, #B-82692, #16147265] wp.router.TryDelegationStrategy: Could not log in to [server], Status=STRAINED], reverting to backend trust with impersonation
Resolution
Beginning with iOS 10, customers are no longer able to:
1. Use Kerberos unconstrained delegation.
2. Use RC4 encryption when the Spotfire Library is configured to use SSL (https).
The solution is to move to constrained Kerberos delegation and AES-128/256 or another supported encryption method. For further details, please refer to the following documentation sections:
- Information about iOS and Kerberos
- Using Kerberos authentication with delegated credentials
- Enabling constrained delegation
- Enabling constrained delegation on nodes
Comments
0 comments
Article is closed for comments.