Delegation to Node Manager fails with error: "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)"

Delegation to Node Manager fails with error: "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)"

book

Article ID: KB0075203

calendar_today

Updated On:

Products

Spotfire Server

Description

Symptoms:

Kerberos Delegation to the Node Manager fails and "Internal Server Error" is received on the UI while trying to open an analysis.
Below error is returned in the <Spotfire Server Install>\tomcat\logs\server.log file
======================
 No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)
======================
 

Issue/Introduction

Error : No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63)

Resolution

This error is generally received if the KRB5.conf doesn't have a correct domain or cross-domain information. Below are some possible causes and their solutions:
 
a) To check if domain is correct or incorrect- 
  1. Open the krb5.conf from  <Spotfire Server Install>\jdk\jre\lib\security\ for Spotfire Server 10.2 and lower and <Spotfire Server Install>tomcat\spotfire-config for 10.3 and higher
  2. Make sure that the Krb5.conf has the correct domain realm information e.g 
========
[libdefaults]
    default_realm = TSSTEST.LAB
    default_keytab_name = spotfire.keytab
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    forwardable = true

[realms]
    TSSTEST.LAB = {
        kdc = tsstest.lab
        admin_server = tsstest.lab
        default_domain = tsstest.lab
    }

[domain_realm]
    .tsstest.lab = TSSTEST.LAB
    tsstest.lab = TSSTEST.LAB


[appdefaults]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true

========

b) When multiple domains are used and if krb5.conf file misses the multiple domain information:
Refer to the below KB article for detailed example on krb5.conf file
https://support.tibco.com/s/article/Configuring-krb5-conf-when-setting-up-Kerberos-authentication-across-multiple-domains

c) When cross-realm authentication is used, and the krb5.conf file misses the information required for the redirection. Review the below link for more information on how to set the paths:
https://docs.oracle.com/cd/E19253-01/816-4557/setup-87/index.html


 

Additional Information

https://legacy.gitbook.com/book/steveloughran/kerberos_and_hadoop/discussions/1