Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Additional configuration needed on client machines when TIBCO Spotfire Server Kerberos Authentication is configured with non-default HTTP port

Rich Talbot
  • Updated
Date Posted:
Product: TIBCO Spotfire®

Problem:

Additional configuration needed on client machines when TIBCO Spotfire Server Kerberos Authentication is configured with non-default HTTP port


Solution:

Description:
Some additional configuration needed for each clients for Kerberos Authentication when TIBCO Spotfire Server is configured with non-default HTTP port (80 or 443).

Symptoms:
Kerberos Authentication may fail on browsers such as Internet Explorer, Chrome, Firefox and Spotfire Analyst with different ERROR messages.
Common errors encountered in the TIBCO Spotfire Server logs are:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-------------------------------------
ERROR 2015-09-17T13:07:36,376-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
--------------------------------------

--------------------------------------
ERROR 2015-09-15T22:48:35,936-0500 [unknown, #1] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
--------------------------------------

--------------------------------------
ERROR 2015-09-16T21:38:22,098-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
--------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In the above ERROR messages, "Checksum failed" is common.

Cause:
By default, a client does not include a port number in SPN within the TGS request for Kerberos Authentication. The authentication fails as SPN without a port is not registered in the Domain Controller. For nondefault ports, SPN is to be registered in following format, including the port number.

 > "HTTP/tss_server_host:port".

NOTE:
This behavior has been tested on IE 11, Chrome 46.0.2490.71 and Firefox 41.0.2 A common solution is to register one more SPN for Spotfire Server along with existing ones for the default port in following format: HTTP/SpotfireServerHostName.DomainName.

However this approach is not acceptable in every scenario, especially in cases where there is already a service registered for the default port on Spotfire Server. The following approach can be used.

For Internet Explorer:
------------------------------
*** On 32-bit computers:
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl .
> Create a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "iexplore.exe" on the above key and change its value to 1.
> Exit Registry Editor.

*** On 64-bit computers:
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl .
> Creat a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "iexplore.exe" on the above key and changes its value to 1.
> Exit Registry Editor.
-------------------------------


For Google Chrome:
----------------------------
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. (Create Google and Chrome keys if they do not exist).
> Create a new "DWORD Value" named EnableAuthNegotiatePort and change its value to 1.
> Refresh the registry by selecting View > Refresh
> Verify the same string, value and keys exists on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Chrome .
> Exit Registry Editor and restart the computer.


For Firefox:
----------------
This is still an unresolved bug in Firefox. It still does not include the port information in SPN sent in TGS request.
We will have to register a SPN for Spotfire Server without a port number, i.e. for default port.


For TIBCO Spotfire Analyst:
--------------------------------------
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl .
> Creat a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "Spotfire.Dxp.exe" on the above key and changes its value to 1. You can also create a wildcard DWORD named "*" (asterisk) to match all clients.
> Exit Registry Editor and restart the computer.


For TIBCO Spotfire Web Player:
-------------------------------------------
> We will have to register a SPN for Spotfire Server without a port number, i.e. for default port.

https://bugzilla.mozilla.org/show_bug.cgi?id=497057

Refer to the "Spotfire Server Installation" manual for more information on creating SPNs.

Related articles