Product: TIBCO Spotfire®
Additional configuration needed on client machines when TIBCO Spotfire Server Kerberos Authentication is configured with non-default HTTP port
Description:
Some additional configuration needed for each clients for Kerberos Authentication when TIBCO Spotfire Server is configured with non-default HTTP port (80 or 443).
Symptoms:
Kerberos Authentication may fail on browsers such as Internet Explorer, Chrome, Firefox and Spotfire Analyst with different ERROR messages.
Common errors encountered in the TIBCO Spotfire Server logs are:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-------------------------------------
ERROR 2015-09-17T13:07:36,376-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
--------------------------------------
--------------------------------------
ERROR 2015-09-15T22:48:35,936-0500 [unknown, #1] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
--------------------------------------
--------------------------------------
ERROR 2015-09-16T21:38:22,098-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
--------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In the above ERROR messages, "Checksum failed" is common.
Cause:
By default, a client does not include a port number in SPN within the TGS request for Kerberos Authentication. The authentication fails as SPN without a port is not registered in the Domain Controller. For nondefault ports, SPN is to be registered in following format, including the port number.
> "HTTP/tss_server_host:port".
NOTE:
This behavior has been tested on IE 11, Chrome 46.0.2490.71 and Firefox 41.0.2
A common solution is to register one more SPN for Spotfire Server along with existing ones for the default port in following format: HTTP/SpotfireServerHostName.DomainName.
However this approach is not acceptable in every scenario, especially in cases where there is already a service registered for the default port on Spotfire Server. The following approach can be used.
For Internet Explorer:
------------------------------
*** On 32-bit computers:
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl .
> Create a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "iexplore.exe" on the above key and change its value to 1.
> Exit Registry Editor.
*** On 64-bit computers:
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl .
> Creat a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "iexplore.exe" on the above key and changes its value to 1.
> Exit Registry Editor.
-------------------------------
For Google Chrome:
----------------------------
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. (Create Google and Chrome keys if they do not exist).
> Create a new "DWORD Value" named EnableAuthNegotiatePort and change its value to 1.
> Refresh the registry by selecting View > Refresh
> Verify the same string, value and keys exists on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Chrome .
> Exit Registry Editor and restart the computer.
For Firefox:
----------------
This is still an unresolved bug in Firefox. It still does not include the port information in SPN sent in TGS request.
We will have to register a SPN for Spotfire Server without a port number, i.e. for default port.
For TIBCO Spotfire Analyst:
--------------------------------------
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl .
> Creat a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "Spotfire.Dxp.exe" on the above key and changes its value to 1. You can also create a wildcard DWORD named "*" (asterisk) to match all clients.
> Exit Registry Editor and restart the computer.
For TIBCO Spotfire Web Player:
-------------------------------------------
> We will have to register a SPN for Spotfire Server without a port number, i.e. for default port.
Refer to the "Spotfire Server Installation" manual for more information on creating SPNs.
Comments
0 comments
Article is closed for comments.