When you set Kerberos Authentication on TIBCO Spotfire server, you need to set SPNs for TIBCO Spotfire server Kerberos service account.

Once you get to the step "SETSPN" command-line tool for the TIBCO Spotfire server Kerberos service account , run a below command line script:
-------
setspn -A http/servername domain\service account 
-------

and you may run into error below:
-------
Failed to assign SPN on account 'CN=domain\service account ,OU=ABC, OU=XYZ Service account, OU Admins, DC=Domain,DC=com', error 0x2098/8344 -> Insufficient access rights to perform the operation.
-------

All

It seems that the user who is running "SETSPN" command does not have sufficient permissions to create SPN on the domain controller.

To run this command, you either need to login to the machine as a domain admin or a user who is a member of the built-in Account Operators domain group.

Refer to the page "Registering Service Principal Names" in the TIBCO Spotfire Server manual for more information:
https://docs.tibco.com/pub/spotfire_server/12.0.4/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/registering_service_principal_names.html

Below is from the manual
"Log in to the computer as a domain administrator or a user who is a member of the built-in Account Operators domain group." to perform this operation.
 

Unable to set SPNs on account with ERROR: "Insufficient access rights to perform the operation" when configuring Kerberos authentication for TIBCO Spotfire Server

• "Kerberos setspn -a insufficient access rights", Microsoft TechNet
  • https://social.technet.microsoft.com/Forums/en-US/61261907-ce07-4114-a916-d4538d24577b/kerberos-setspn-a-insufficient-access-rights
• "Setspn", article on learn.microsoft.com
  • https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731241(v=ws.10)#BKMK_Del