Product: TIBCO Spotfire®
Few users may not be able to access reports in TIBCO Spotfire Web Player while using Kerberos authentication.
Sometimes user(s) may not be able to open reports in TIBCO Spotfire Web Player where TIBCO Spotfire Server is configured for Kerberos Authentication. However some other users may be able to open the reports as expected.
- To start with compare Spotfire Server logs "server.log file" for working and non-working users.
- Below are the log samples from "server.log". (Ensure the Spotfire servers logging is at DEBUG level)
> Working user (test_user1@tssdemo.com):
-----------------------------------------------------------
DEBUG 2019-01-16T03:50:23,254+0100 [unknown, #59976, #1035740] server.security.KerberosAuthenticator: The service ticket for 'test_user1@tssdemo.com' is forwardable
DEBUG 2019-01-16T03:50:23,254+0100 [unknown, #59976, #1035740] server.security.KerberosAuthenticator: Authentication handshake completed for principal 'test_user1@tssdemo.com'
DEBUG 2019-01-16T03:50:23,254+0100 [unknown, #59976, #1035740] server.security.KerberosAuthenticator: Successfully authenticated user 'test_user1@tssdemo.com' with GSS credentials
DEBUG 2019-01-16T03:50:23,254+0100 [unknown, #59976, #1035740] server.security.SessionUtil: Renewing the session ID
DEBUG 2019-01-16T03:50:23,254+0100 [unknown, #59976, #1035740] server.security.SessionUtil: Generated a new 'internal session id': febee58d60c0b6150deb9e8a8c47f8c1
DEBUG 2019-01-16T03:50:23,254+0100 [test_user1@tssdemo.com, #59976, #1035740] server.security.SecurityFilter: The client is successfully authenticated
-----------------------------------------------------------
> Non-Working user (test_user2@tssdemo.com):
-----------------------------------------------------------
DEBUG 2019-01-14T09:02:13,182+0100 [unknown, #51740, #861725] server.security.KerberosAuthenticator: The service ticket for 'test_user2@tssdemo.com' is not forwardable
DEBUG 2019-01-14T09:02:13,182+0100 [unknown, #51740, #861725] server.security.KerberosAuthenticator: No delegated Kerberos ticket found in the private credentials of test_user2@tssdemo.com
DEBUG 2019-01-14T09:02:13,182+0100 [unknown, #51740, #861725] server.security.KerberosAuthenticator: Authentication handshake completed for principal 'test_user2@tssdemo.com'
DEBUG 2019-01-14T09:02:13,182+0100 [unknown, #51740, #861725] server.security.KerberosAuthenticator: Successfully authenticated user 'test_user2@tssdemo.com' with GSS credentials
-----------------------------------------------------------
In this above example for non-working user 'test_user2@tssdemo.com", service ticket is not forwardable, where as for the working-user "'test_user1@tssdemo.com", service ticket is forwardable.
This may be the reason that user "test_user2" is not able to request for a delegated ticket (unconstrained or constrained delegation).
Log for non-working user says the below. Which is not seen in case of the working one.
-----------------------------------------------------------------------------------------------
The service ticket for 'test_user2@tssdemo.com' is not forwardable
No delegated Kerberos ticket found in the private credentials of test_user2@tssdemo.com
----------------------------------------------------------------------------------------------
To resolve this issue perform below steps for non-working user(s). These tasks mentioned below are usually done by a Domain Administrator.
- Open Active Directory Users & Computers on the Domain Controller.
- Search for non-working user for example: "test_user2@tssdemo.com"
- Select and right-click this user and select 'properties'
- In 'Account' tab, make sure that the checkbox for 'Account is sensitive and cannot be delegated' is NOT checked.
- If in case this checkbox is checked, then uncheck it.
Sample:
- Repeat the above steps for all users who are facing this issue.
- The affected user(s) should now be able to open reports in Spotfire Web Player. Refer below Microsoft link :
https://blogs.technet.microsoft.com/poshchap/2015/05/01/security-focus-analysing-account-is-sensitive-and-cannot-be-delegated-for-privileged-accounts/
Comments
0 comments
Article is closed for comments.