Kerberos authentication fails on TIBCO Spotfire Server when RC4-HMAC encryption type is used

Kerberos authentication fails on TIBCO Spotfire Server when RC4-HMAC encryption type is used

book

Article ID: KB0071937

calendar_today

Updated On:

Products Versions
Spotfire Server 12.0 and higher

Description

When the TIBCO Spotfire Server is upgraded to version 12.0 or newly installed and RC4-HMAC encryption type is used in krb5.conf file and keytab, the Spotfire Server application will fail to start, and the following errors are seen in the server.log:

[*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'kerberosCredentialsManager' defined in class path resource [applicationContext-tss-is-common.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.KerberosCredentialsManager]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal

ERROR 2022-09-17T12:22:17,719-0400 [unknown, #B-101, #270] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : SPNEGO NegoTokenTarg : did not have the right token type)

ERROR 2022-09-17T12:22:12,950-0400 [unknown, #B-20, #87] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled)

Caused by: sun.security.krb5.KrbException: Encryption type RC4 with HMAC is not supported/enabled

Caused by: sun.security.krb5.KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:1015) ~[java.security.jgss:?]


This is because Spotfire 12.0 is bundled with Java SE Development Kit 17. The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default in Java 17. Therefore, after upgrading from an earlier working version with RC4-HMAC encryption type where that encryption was enabled to Spotfire 12.0, Spotfire will not fail to start. Please refer to the Java 17 release note.

Environment

All

Resolution

To resolve, you need to use AES-128 or AES-256 encryption types while creating the keytab and configure krb5.conf with below encryption types:
default_tkt_enctypes = aes128-cts,aes256-cts,
default_tgs_enctypes = aes128-cts,aes256-cts


Also make sure AES-128 and AES-256 are enabled on the service account created for the Spotfire Server and Node Manager.

    Issue/Introduction

    Kerberos authentication fails on TIBCO Spotfire Server when RC4-HMAC encryption type is used

    Additional Information

    External: Java 17 release note 

    Doc: Creating Keytab


    ​​​​Doc: Configuring krb5.conf

    KB: 000039381 Enabling AES128 and AES256 for the service account