Constrained Kerberos Delegation to file shares in Spotfire Web Player

Constrained Kerberos Delegation to file shares in Spotfire Web Player

book

Article ID: KB0070900

calendar_today

Updated On:

Products Versions
Spotfire Web Player 7.5 - 7.14

Description

When setting up Constrained delegation to a CIFS file share you might end up in situation where access to the file share is denied when trying to read the files "in process", i.e. using the delegated credentials (out of process, e.g. MS Excel files by default, are accessed by non-delegated-access using the service account).

Example of stack trace: 
 WARN ;2018-07-31T15:42:33,001+02:00;2018-07-31 13:42:33,001;c295e308-1f5c-4df9-8530-619c08427774;3115356792xlE-;WorkThread 44;SpotAdminA@spotfire.local WAT 2;Spotfire.Dxp.Data.DataTable;"Prompting for failed to open table." Spotfire.Dxp.Data.Exceptions.ImportException: Failed to execute data source query for data source "SmallData". ---> Spotfire.Dxp.Data.Exceptions.ImportException: Failed to open data source. ---> System.UnauthorizedAccessException: Access to the path '\\dc-w2016.spotfire.local\SpotfireTestShare\SmallData.txt' is denied.    at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)    at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)    at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)    at Spotfire.Dxp.Data.Import.FileDataSource.OpenFileStream(String file, Boolean deleteFileOnClose)    at Spotfire.Dxp.Data.Import.TextFileDataSource.ConnectCore(IServiceProvider serviceProvider, DataSourcePromptMode promptMode, DataLoadSettings loadSettings)    at Spotfire.Dxp.Data.DataSource.ConnectWithoutPrompting(IServiceProvider serviceProvider, DataSourcePromptMode promptMode, Boolean updateInternalState, DataLoadSettings loadSettings)    --- End of inner exception stack trace ---

Issue/Introduction

Important pointers when setting up constrained delegation to file shares for Spotfire Web Player.

Environment

Spotfire environment setup for Constrained Delegation. Windows file share in the same domain. Access to Domain Admin rights.

Resolution

The solution is to modify delegation of the machine account of the Spotfire Node Manager that the Web Player is running on:
  1. Trust ... to specified services only ("constrained")
  2. Use any authentication protocol
  3. Add CIFS for all the file-share servers you intend to access
  4. Repeat for all Node machines.

User-added image

Additional Information

https://support.microsoft.com/en-us/help/2602377/constrained-delegation-for-cifs-fails-with-access-denied Scenario 2 + Workaround 2
Powered by Wolken Software