When accessing the Web Player in a kerberos environment, some users are not able to log in.
In a browser a message similar to the image below may be seen.
This is usually the result of a large Authorisation request header that is sent to the Spotfire server. The Authorisation header contains a Kerberos ticket, which can grow too large a size if the user is a member of a large number of groups in Active Directory.
To resolve the error, the following registry key in Windows should be adjusted. Within the pathHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
Create the following values if they do not already exist
MaxFieldLength DWORD
MaxRequestBytes DWORD
The values to set these to will depend on the users token size. This will depend on how many groups the user is a member of. Refer to the following document to know how to calculate the token size.
Once you have the token size, both these parameters should be set according to the formula:
(4/3 * T bytes) + 200
where T is the users token size.
In addition to this, the maximum token size for Kerberos may also need to be adjusted.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
MaxTokenSize DWORD
Spotfire Server (Tomcat)
The Tomcat server has it's own setting for the maxumum request header (maxHttpHeaderSize)
The setting controls the maximum size of a http header. The default value of the maximum header size is 65536. This can be changed to match the value in the Windows server. There is no theoretical upper limit for the value of this parameter.
This can be found in the <installation root>\tomcat\conf\server.xml
<Connector port="80"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="65536"
connectionTimeout="30000"
enableLookups="false"
URIEncoding="UTF-8"
disableUploadTimeout="true"
server="TIBCO Spotfire Server"
compression="on"
compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml"
acceptorThreadCount="2"
keepAliveTimeout="30000"
maxKeepAliveRequests="-1"
maxThreads="2000" />
After editing the file, restart your Spotfire services. You should then be able to login via Kerberos
Comments
0 comments
Please sign in to leave a comment.