The server.log for the Spotfire server and information services shows an error below


org.springframework.web.client.ResourceAccessException error, indicating a connection timeout when trying to reach https://login.microsoftonline.com:443. This error points to a failure to retrieve the discovery document URL, which is essential for authentication. Additionally, the Information Services failed to start with the same discovery document URL error, as it operates as a separate process in the new version and requires its own proxy configuration.

ERROR 2025-09-12T18:17:55,918+0400 [*Initialization*] web.context.ContextLoader: Context initialization failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'backendAuthenticator' defined in class path resource [applicationContext-tss-is-common.xml]: Cannot resolve reference to bean 'sessionManager' while setting constructor argument

Caused by: com.spotfire.server.security.oauth.OAuthException: Error retrieving the discovery document from: https://login.microsoftonline.com/74892fe7-b6cb-43e7-912b-52194d3fd7c8/.well-known/openid-configuration

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://login.microsoftonline.com/74892fe7-b6cb-43e7-912b-52194d3fd7c8/.well-known/openid-configuration": Connect to https://login.microsoftonline.com:443 [login.microsoftonline.com/20.231.128.67, login.microsoftonline.com/40.126.53.10, login.microsoftonline.com/40.126.53.9, login.microsoftonline.com/40.126.53.15, login.microsoftonline.com/40.126.53.13, login.microsoftonline.com/40.126.53.8, login.microsoftonline.com/40.126.53.19, login.microsoftonline.com/40.126.53.17] failed: Connection timed out: getsockopt

All

To resolve this issue, perform the following steps:

1) Configure proxy settings for the Spotfire Server.

A) For Windows Server

• Stop the Spotfire Server service.
• Open an administrative command prompt and change the directory to <installation dir>/tomcat/bin and run service.bat remove.
• From file explorer Open the service.bat file in a text editor.
• Locate --JvmOptions and add the following proxy parameters, replacing <yourProxyHostName> with your proxy host and 9480 with your proxy port:
  -Dhttp.proxyHost=<yourProxyHostName>;-Dhttp.proxyPort=9480;-Dhttps.proxyHost=<yourProxyHostName>;-Dhttps.proxyPort=9480 (Note port 9480 is used as example. You need to mention the corresponding proxy port)
• Save and close the file.
• Run service.bat install to re-install the service.
• Navigate to catalina.properties file and add the same settings
• Start the Spotfire Server service.

B) For Linux server

• Stop the Spotfire Server service.
• Navigate to <installation dir>/tomcat/bin
• Open the setenv.sh file in a text editor.
• Locate --JvmOptions and add the following proxy parameters, replacing <yourProxyHostName> with your proxy host and 9480 with your proxy port:
  -Dhttp.proxyHost=<yourProxyHostName>;-Dhttp.proxyPort=9480;-Dhttps.proxyHost=<yourProxyHostName>;-Dhttps.proxyPort=9480 (Note port 9480 is used as example. You need to mention the corresponding proxy port)
• Navigate to catalina.properties file and add the same settings
• Save and close the file.

Please note the "http.nonProxyHosts" setting is sometimes crucial when the Spotfire Server or Information Services needs to connect directly (bypassing the proxy) to internal services, such as:

• The Spotfire database (if internal).
• Other internal Spotfire nodes/services.
• Internal authentication providers (like Active Directory/LDAP).

This setting is used by both the HTTP and HTTPS protocol handlers when Java makes an outbound connection. 
When setting the JVM options via a script (like service.bat for Windows) or a configuration file, the entire list of Java properties is often wrapped in quotation marks—the value for http.nonProxyHosts must be placed in quotes, and those internal quotes must be escaped (using a backslash \") to prevent the shell or parser from interpreting them prematurely.
Below is the Example

-Dhttp.nonProxyHosts=\"*.mycompany.com|localhost|192.168.*|10.10.10.*\"

2) Configure proxy settings for Information Services.
    Since Information Services is a separate process, it needs its own proxy configuration.

• Export the server configuration using the command: config export-config.
• Configure the external Information Services process with the proxy settings, replacing the example values with your own:
  config config-external-information-services-process -J-Dhttp.proxyHost=<yourProxyHostName> -J-Dhttp.proxyPort=9480 -J-Dhttps.proxyHost=<yourProxyHostName> -J-Dhttps.proxyPort=9480
  Reference: https://docs.tibco.com/pub/spotfire_server/14.0.9/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/config-external-information-services-process.html
• Import the configuration back into the server with a comment: config import-config -c="proxyforIS".
• Restart the Information Services.
  
  Additionally, if you have configured "http.nonProxyHosts" for the Spotfire server, it also needs to be configured for External Information Services. Below is the example. 
  
  config config-external-information-services-process -J-Dhttp.proxyHost=<yourProxyHostName> -J-Dhttp.proxyPort=9480 -J-Dhttps.proxyHost=<yourProxyHostName> -J-Dhttps.proxyPort=9480 -J-Dhttp.nonProxyHosts=\"*.mycompany.com|localhost|192.168.*|10.10.10.*\"

This article addresses a Single Sign-On (SSO) issue that occurs when the Spotfire server is newly installed and OpenID is configured; however, the Spotfire server does not have a direct internet connection and it goes through a Proxy server, or after upgrading the Spotfire Server. The problem arises because the server cannot connect to the Microsoft online login service or any other OIDC provider, causing a "connection timed out" error. This issue also affects the Information Services, which requires its own proxy configuration.