Spotfire analysis files that use Kerberos delegation fail to open on iPad iOS web browsers. – Revvity Signals

Date Posted: 2021-04-26
Product: TIBCO Spotfire®

Problem:

Spotfire analysis files that use Kerberos delegation fail to open on iPad iOS web browsers.

Solution:

Problem Summary:

On iPad iOS, all Spotfire users are not able to open analysis files that use Kerberos delegation to access external data connections (for example, SQL Server, SAP HANA, shared file system files, etc.). Other reports without external data access with Kerberos delegation open without issues.
On Windows OS, all users can access the same files using any web browser or Analyst client.

Environment:

Product: TIBCO Spotfire for iOS
Versions: All supported versions
OS: iOS 10 and higher
Authentication: Kerberos

Details:

The following log output appears in Spotfire Server's server.log:

DEBUG 2021-04-01T12:10:37,978-0400 [unknown, #B-82692, #16146766] server.security.KerberosAuthenticator: The service ticket for '[user]@[domain].com' is forwardable
DEBUG 2021-04-01T12:10:37,978-0400 [unknown, #B-82692, #16146766] server.security.KerberosAuthenticator: No delegated Kerberos ticket found in the private credentials of [user]@[domain].com
DEBUG 2021-04-01T12:10:37,978-0400 [unknown, #B-82692, #16146766] server.security.KerberosAuthenticator: Authentication handshake completed for principal '[user]@[domain].com'
DEBUG 2021-04-01T12:10:37,978-0400 [unknown, #B-82692, #16146766] server.security.KerberosAuthenticator: Successfully authenticated user '[domain].COM\[user] with GSS credentials
DEBUG 2021-04-01T12:10:37,978-0400 [, #B-82692, #16146766] server.security.SecurityFilter: The client is successfully authenticated
...
DEBUG 2021-04-01T12:11:16,303-0400 [, #B-82692, #16147265] wp.router.DelegatingStrategy: No Kerberos ticket found in the subject's private credentials. Assuming constrained delegation
ERROR 2021-04-01T12:11:16,381-0400 [, #B-82692, #16147265] wp.router.DelegatingStrategy: Kerberos login to [server] failed
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13)))
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:453) ~[java.security.jgss:?]
...
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:773) ~[java.security.jgss:?]
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:316) ~[java.security.jgss:?]
... 108 more
Caused by: sun.security.krb5.KrbException: KDC cannot accommodate requested option (13)
at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:70) ~[java.security.jgss:?]
... 108 more
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) ~[java.security.jgss:?]
... 108 more
DEBUG 2021-04-01T12:11:16,381-0400 [nguyenz, #B-82692, #16147265] wp.router.TryDelegationStrategy: Could not log in to [server], Status=STRAINED], reverting to backend trust with impersonation

Resolution

Beginning with iOS 10, customers are no longer able to:

1. Use Kerberos unconstrained delegation.
2. Use RC4 encryption when the Spotfire Library is configured to use SSL (https).

The solution is to move to constrained Kerberos delegation and AES-128/256 or another supported encryption method. For further details, please refer to the following documentation sections:

- Information about iOS and Kerberos
- Using Kerberos authentication with delegated credentials
- Enabling constrained delegation
- Enabling constrained delegation on nodes

Related articles