When the TIBCO Spotfire Server is upgraded to version 12.0 or newly installed and RC4-HMAC encryption type is used in krb5.conf file and keytab, the Spotfire Server application will fail to start, and the following errors are seen in the server.log:

[*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'kerberosCredentialsManager' defined in class path resource [applicationContext-tss-is-common.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.KerberosCredentialsManager]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal

ERROR 2022-09-17T12:22:17,719-0400 [unknown, #B-101, #270] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : SPNEGO NegoTokenTarg : did not have the right token type)

ERROR 2022-09-17T12:22:12,950-0400 [unknown, #B-20, #87] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled)

Caused by: sun.security.krb5.KrbException: Encryption type RC4 with HMAC is not supported/enabled

Caused by: sun.security.krb5.KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:1015) ~[java.security.jgss:?]

This is because Spotfire 12.0 is bundled with Java SE Development Kit 17. The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default in Java 17. Therefore, after upgrading from an earlier working version with RC4-HMAC encryption type where that encryption was enabled to Spotfire 12.0, Spotfire will not fail to start. Please refer to the Java 17 release note.

• https://www.oracle.com/java/technologies/javase/17-relnote-issues.html

To resolve, you need to use AES-128 or AES-256 encryption types while creating the keytab and configure krb5.conf with below encryption types:
default_tkt_enctypes = aes128-cts,aes256-cts,
default_tgs_enctypes = aes128-cts,aes256-cts

Also make sure AES-128 and AES-256 are enabled on the service account created for the Spotfire Server and Node Manager.

External: Java 17 release note 

• https://www.oracle.com/java/technologies/javase/17-relnote-issues.html

Doc: Creating Keytab

• https://docs.tibco.com/pub/spotfire_server/12.0.0/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/creating_a_keytab_file_for_the_kerberos_service_account.html

​​​​Doc: Configuring krb5.conf

• https://docs.tibco.com/pub/spotfire_server/12.0.0/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/krb5.conf_file.html

KB: 000039381 Enabling AES128 and AES256 for the service account

• https://support.tibco.com/s/article/SPNEGO-NegoTokenTarg-did-not-have-the-right-token-type-error-when-setting-up-Kerberos-authentication