Users unable to login to TIBCO Spotfire after setting up Kerberos authentication across multiple domains
Article ID: KB0071484
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | All |
Description
After setting up Kerberos authentication across multiple domains for TIBCO Spotfire Server authentication (see Setting up Kerberos authentication on Spotfire Server), users who are part of service account's domain are able to login but not users from other domains. When users from other domains try to login, they get 'Could not log in. Please try again' error message and in server.log below log entries are seen.
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.AuthenticationManager: Found HTTP header: Authorization Negotiate TlRM...
INFO 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.KerberosAuthenticator: NTLM token detected instead of Kerberos ticket, probably indicating a problem with the SPNs
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: User authentication failed: NTLM authentication scheme not supported DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: The request is configured for the KERBEROS authentication method
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: Requesting client to authenticate using the Negotiate authentication scheme
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: Returning from filter after requesting the client to authenticate and without passing on the request to the next item in the filter chain
These errors are seen when there is no trust or has one-way trust between domains.
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.AuthenticationManager: Found HTTP header: Authorization Negotiate TlRM...
INFO 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.KerberosAuthenticator: NTLM token detected instead of Kerberos ticket, probably indicating a problem with the SPNs
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: User authentication failed: NTLM authentication scheme not supported DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: The request is configured for the KERBEROS authentication method
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: Requesting client to authenticate using the Negotiate authentication scheme
DEBUG 2019-10-21T14:05:47,477-0400 [unknown, #46, #85799] server.security.SecurityFilter: Returning from filter after requesting the client to authenticate and without passing on the request to the next item in the filter chain
These errors are seen when there is no trust or has one-way trust between domains.
Issue/Introduction
This article explains why users may be unable to login to TIBCO Spotfire after setting up Kerberos authentication across multiple domains
Resolution
Two-way transitive trust between the domains is required for Kerberos delegation to work in this situation, so to resolve ensure that the two-way transitive trust is established.
Also, [capaths] section needs to be added in krb5.conf file if performing direct (non-hierarchical) cross-realm authentication. Review capaths to know about [capaths] in detail. Also refer to the Knowledge base article Configuring krb5.conf when setting up Kerberos authentication across multiple domains with an example of krb5.conf to support users from multiple domains
Also, [capaths] section needs to be added in krb5.conf file if performing direct (non-hierarchical) cross-realm authentication. Review capaths to know about [capaths] in detail. Also refer to the Knowledge base article Configuring krb5.conf when setting up Kerberos authentication across multiple domains with an example of krb5.conf to support users from multiple domains
Additional Information
Doc: Setting up Kerberos authentication on Spotfire Server
KB: Configuring krb5.conf when setting up Kerberos authentication across multiple domains
External: MIT [capaths]
Feedback
Yes
No
Powered by
