Additional configuration needed on client machines when TIBCO Spotfire Server Kerberos Authentication is configured with non-default HTTP port
Article ID: KB0083626
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | All versions |
Description
Description:
Some additional configuration needed for each clients for Kerberos Authentication when TIBCO Spotfire Server is configured with non-default HTTP port (80 or 443).
Symptoms:
Kerberos Authentication may fail on browsers such as Internet Explorer, Chrome, Firefox and Spotfire Analyst with different ERROR messages.
Common errors encountered in the TIBCO Spotfire Server logs are:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-------------------------------------
ERROR 2015-09-17T13:07:36,376-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
--------------------------------------
--------------------------------------
ERROR 2015-09-15T22:48:35,936-0500 [unknown, #1] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
--------------------------------------
--------------------------------------
ERROR 2015-09-16T21:38:22,098-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
--------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In the above ERROR messages, "Checksum failed" is common.
Cause:
By default, a client does not include a port number in SPN within the TGS request for Kerberos Authentication. The authentication fails as SPN without a port is not registered in the Domain Controller. For nondefault ports, SPN is to be registered in following format, including the port number.
> "HTTP/tss_server_host:port".
NOTE:
This behavior has been tested on IE 11, Chrome 46.0.2490.71 and Firefox 41.0.2
Some additional configuration needed for each clients for Kerberos Authentication when TIBCO Spotfire Server is configured with non-default HTTP port (80 or 443).
Symptoms:
Kerberos Authentication may fail on browsers such as Internet Explorer, Chrome, Firefox and Spotfire Analyst with different ERROR messages.
Common errors encountered in the TIBCO Spotfire Server logs are:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-------------------------------------
ERROR 2015-09-17T13:07:36,376-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
--------------------------------------
--------------------------------------
ERROR 2015-09-15T22:48:35,936-0500 [unknown, #1] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
--------------------------------------
--------------------------------------
ERROR 2015-09-16T21:38:22,098-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
--------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In the above ERROR messages, "Checksum failed" is common.
Cause:
By default, a client does not include a port number in SPN within the TGS request for Kerberos Authentication. The authentication fails as SPN without a port is not registered in the Domain Controller. For nondefault ports, SPN is to be registered in following format, including the port number.
> "HTTP/tss_server_host:port".
NOTE:
This behavior has been tested on IE 11, Chrome 46.0.2490.71 and Firefox 41.0.2
Issue/Introduction
Additional configuration needed on client machines when TIBCO Spotfire Server Kerberos Authentication is configured with non-default HTTP port
Environment
All supported operating systems
Resolution
A common solution is to register one more SPN for Spotfire Server along with existing ones for the default port in following format: HTTP/SpotfireServerHostName.DomainName.
However this approach is not acceptable in every scenario, especially in cases where there is already a service registered for the default port on Spotfire Server. The following approach can be used.
For Internet Explorer:
------------------------------
*** On 32-bit computers:
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl .
> Create a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "iexplore.exe" on the above key and change its value to 1.
> Exit Registry Editor.
*** On 64-bit computers:
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl .
> Creat a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "iexplore.exe" on the above key and changes its value to 1.
> Exit Registry Editor.
-------------------------------
For Google Chrome:
----------------------------
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. (Create Google and Chrome keys if they do not exist).
> Create a new "DWORD Value" named EnableAuthNegotiatePort and change its value to 1.
> Refresh the registry by selecting View > Refresh
> Verify the same string, value and keys exists on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Chrome .
> Exit Registry Editor and restart the computer.
For Firefox:
----------------
This is still an unresolved bug in Firefox. It still does not include the port information in SPN sent in TGS request.
We will have to register a SPN for Spotfire Server without a port number, i.e. for default port.
For TIBCO Spotfire Analyst:
--------------------------------------
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl .
> Creat a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "Spotfire.Dxp.exe" on the above key and changes its value to 1. You can also create a wildcard DWORD named "*" (asterisk) to match all clients.
> Exit Registry Editor and restart the computer.
For TIBCO Spotfire Web Player:
-------------------------------------------
> We will have to register a SPN for Spotfire Server without a port number, i.e. for default port.
However this approach is not acceptable in every scenario, especially in cases where there is already a service registered for the default port on Spotfire Server. The following approach can be used.
For Internet Explorer:
------------------------------
*** On 32-bit computers:
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl .
> Create a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "iexplore.exe" on the above key and change its value to 1.
> Exit Registry Editor.
*** On 64-bit computers:
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl .
> Creat a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "iexplore.exe" on the above key and changes its value to 1.
> Exit Registry Editor.
-------------------------------
For Google Chrome:
----------------------------
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. (Create Google and Chrome keys if they do not exist).
> Create a new "DWORD Value" named EnableAuthNegotiatePort and change its value to 1.
> Refresh the registry by selecting View > Refresh
> Verify the same string, value and keys exists on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Chrome .
> Exit Registry Editor and restart the computer.
For Firefox:
----------------
This is still an unresolved bug in Firefox. It still does not include the port information in SPN sent in TGS request.
We will have to register a SPN for Spotfire Server without a port number, i.e. for default port.
For TIBCO Spotfire Analyst:
--------------------------------------
> Open Windows Registry Editor (Run regedit.exe).
> Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl .
> Creat a new Key named "FEATURE_INCLUDE_PORT_IN_SPN_KB908209" .
> Create a new "DWORD Value" named "Spotfire.Dxp.exe" on the above key and changes its value to 1. You can also create a wildcard DWORD named "*" (asterisk) to match all clients.
> Exit Registry Editor and restart the computer.
For TIBCO Spotfire Web Player:
-------------------------------------------
> We will have to register a SPN for Spotfire Server without a port number, i.e. for default port.
Additional Information
https://bugzilla.mozilla.org/show_bug.cgi?id=497057
Refer to the "Spotfire Server Installation" manual for more information on creating SPNs.
Refer to the "Spotfire Server Installation" manual for more information on creating SPNs.
Feedback
Yes
No
Powered by
