Unable to set SPNs on account with ERROR: "Insufficient access rights to perform the operation" when configuring Kerberos authentication for TIBCO Spotfire Server
Article ID: KB0071505
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | All |
Description
When you set Kerberos Authentication on TIBCO Spotfire server, you need to set SPNs for TIBCO Spotfire server Kerberos service account.
Once you get to the step "SETSPN" command-line tool for the TIBCO Spotfire server Kerberos service account , run a below command line script:
-------
setspn -A http/servername domain\service account
-------
and you may run into error below:
-------
Failed to assign SPN on account 'CN=domain\service account ,OU=ABC, OU=XYZ Service account, OU Admins, DC=Domain,DC=com', error 0x2098/8344 -> Insufficient access rights to perform the operation.
-------
Once you get to the step "SETSPN" command-line tool for the TIBCO Spotfire server Kerberos service account , run a below command line script:
-------
setspn -A http/servername domain\service account
-------
and you may run into error below:
-------
Failed to assign SPN on account 'CN=domain\service account ,OU=ABC, OU=XYZ Service account, OU Admins, DC=Domain,DC=com', error 0x2098/8344 -> Insufficient access rights to perform the operation.
-------
Issue/Introduction
Unable to set SPNs on account with ERROR: "Insufficient access rights to perform the operation" when configuring Kerberos authentication for TIBCO Spotfire Server
Environment
All
Resolution
It seems that the user who is running "SETSPN" command does not have sufficient permissions to create SPN on the domain controller.
To run this command, you either need to login to the machine as a domain admin or a user who is a member of the built-in Account Operators domain group.
Refer to the page "Registering Service Principal Names" in the TIBCO Spotfire Server manual for more information:
https://docs.tibco.com/pub/spotfire_server/12.0.4/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/registering_service_principal_names.html
Below is from the manual
"Log in to the computer as a domain administrator or a user who is a member of the built-in Account Operators domain group." to perform this operation.
To run this command, you either need to login to the machine as a domain admin or a user who is a member of the built-in Account Operators domain group.
Refer to the page "Registering Service Principal Names" in the TIBCO Spotfire Server manual for more information:
https://docs.tibco.com/pub/spotfire_server/12.0.4/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/registering_service_principal_names.html
Below is from the manual
"Log in to the computer as a domain administrator or a user who is a member of the built-in Account Operators domain group." to perform this operation.
Additional Information
- "Kerberos setspn -a insufficient access rights", Microsoft TechNet
- "Setspn", article on learn.microsoft.com
Feedback
Yes
No
Powered by
