The Spotfire server is configured with delegated Kerberos. On the web when the user clicks on the analytics tab or tries to open any report from the library, it tries to load something named “EmptyAnalysis”. It always takes approximately 3 minutes until it stops. The Web Player instance opens immediately after the “EmptyAnalysis” process. The above symptom is observed when the Delegation policy is "TRY". However with the Delegation policy as "Require" the delegation fails after approximately 3 minutes with error 401.

In the server.log, it has been observed that it tries to use the Spotfire Server principal instead of end-user credentials. 
Below are the entries in server.log for 14.0.0

DEBUG 2024-01-17T12:19:36,797+0000 [unknown, #B-8, #80] server.security.KerberosAuthenticator: The service ticket for 'HTTP/spotfireserver.domain.com@DOMAIN.COM' is forwardable
DEBUG 2024-01-17T12:19:36,797+0000 [unknown, #B-8, #80] server.security.KerberosAuthenticator: No delegated Kerberos ticket found in the private credentials of HTTP/spotfireserver.domain.com@DOMAIN.COM'
DEBUG 2024-01-17T12:19:36,797+0000 [unknown, #B-8, #80] server.security.KerberosAuthenticator: Authentication handshake completed for principal 'HTTP/spotfireserver.domain.com@DOMAIN.COM''
DEBUG 2024-01-17T12:19:36,797+0000 [unknown, #B-8, #80] server.security.KerberosAuthenticator: Successfully authenticated user 'HTTP/spotfireserver.domain.com@DOMAIN.COM'' with GSS credentials DEBUG 2024-01-17T12:19:36,801+0000 [unknown, #B-8, #80] server.userdir.UserDirectoryImpl: Checking if the user principal HTTP/spotfireserver.domain.com@DOMAIN.COM' has been recently added to the external provider

However, it behaves normally in 12.0.0 or earlier versions and uses end-user credentials.

DEBUG 2024-01-17T12:37:21,115+0000 [unknown, #B-8, #219] server.security.KerberosAuthenticator: The incoming GSSCredential contains a Kerberos credential element of class sun.security.jgss.krb5.Krb5ProxyCredential
DEBUG 2024-01-17T12:37:21,115+0000 [unknown, #B-8, #219] server.security.KerberosAuthenticator: The service ticket for 'user@domain.com' is forwardable
DEBUG 2024-01-17T12:37:21,115+0000 [unknown, #B-8, #219] server.security.KerberosAuthenticator: No delegated Kerberos ticket found in the private credentials of user@domain.com
DEBUG 2024-01-17T12:37:21,115+0000 [unknown, #B-8, #219] server.security.KerberosAuthenticator: Authentication handshake completed for principal 'user@domain.com'

The issue has been identified as a defect with the httpclient5 and httpcore5 binaries in 14.0.0 and will be fixed in Spotfire version 14.0.2. The delegation works fine after upgrading httpclient5 and httpcore5 to the latest versions (5.3.1/5.2.4). Upgrade the Spotfire server to 14.0.2 version once released or follow the below steps to upgrade the httpclient5 and httpcore5 binaries manually

1. Go to https://hc.apache.org/downloads.cgi and download HttpClient 5.3.1 "the binary 5.3.1.zip"
2. Unzip and find the three files httpclient5-5.3.1.jar, httpcore5-5.2.4.jar, and httpcore5-h2-5.2.4.jar
3. On the Spotfire Server, stop the Spotfire Server Service
4. Go to tomcat\webapps\spotfire\WEB-INF\lib
5. Move the three files httpclient5.jar, httpcore5.jar, and httpcore5-h2.jar to a location outside the classpath (e.g. C:\spotfire\spotfireserver\14.0.0\Disabled-jars)
6. Copy the three new versions of the files into tomcat\webapps\spotfire\WEB-INF\lib (no need to rename them)
7. Start the Spotfire Server Service.
8. Test to see if the delegation works.

• https://hc.apache.org/downloads.cgi