Products | Versions |
---|---|
Spotfire Server | 7.0 and lower |
NTLM authentication fails after applying Microsoft hotfix KB3002657. This will be seen in clustered Spotfire Server environments where the NTLM account is shared between multiple servers, but can be seen in any NTLM configuration that utilizes the localhost-netbios-name parameter.
Symptoms:
NTLM authentication fails with an error resembling the following:
DEBUG 2015-06-05T14:00:39,496-0400 [unknown, #7] server.security.NtlmAuthenticator: NTLM authentication error jespa.security.SecurityProviderException: NETLOGON failure at jespa.ntlm.NtlmSecurityProvider.authenticate(NtlmSecurityProvider.java:1397) at jespa.ntlm.NtlmSecurityProvider.acceptSecContext(NtlmSecurityProvider.java:1174) at com.spotfire.server.security.NtlmAuthenticator.authenticate(NtlmAuthenticator.java:335) at com.spotfire.server.security.AuthenticationManager.doAuthenticate(AuthenticationManager.java:145) ... Caused by: jcifs.smb.SmbException: Logon failure: unknown user name or bad password. at jespa.ntlm.Netlogon.validate0(Netlogon.java:629) at jespa.ntlm.Netlogon.validate(Netlogon.java:713) at jespa.ntlm.NtlmSecurityProvider.authenticate(NtlmSecurityProvider.java:1390) ... 53 more
Remove the localhost-netbios-name parameter from your NTLM configuration. If you have a shared NTLM account used by multiple Spotfire Servers, then you must now use a separate NTLM account for each server.
The Spotfire Server Installation and Configuration manual references two options for configuring multiple Spotfire Servers with NTLM authentication:
- If separate NTLM accounts are to be used, then use the account name and password options to specify the server's own NTLM account.
- If a shared NTLM account is to be used, specify the account name and password for the shared account, as well as a unique localhost NetBIOS name. The localhost NetBIOS names must not exceed 15 characters."
The shared NTLM account method described above is no longer valid after application of Microsoft hotfix KB3002657.