Kerberos constrained delegation in TIBCO Data Virtualization may fail with the error "The client credential cannot be delegated"
Article ID: KB0074781
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | 7.0 and higher |
Description
Constrained delegation in TDV is failing with the error "The client credential cannot be delegated"
Issue/Introduction
Kerberos constrained delegation in TIBCO Data Virtualization may fail with the error "The client credential cannot be delegated"
Resolution
The error "The client credential cannot be delegated" may be thrown by any type of TDV client (ODBC, JDBC, or Ado.NET). In the case of a JDBC client, the error is typically accompanied by the following trace in the TDV logs:
----------------------------------------------------------------------
Caused by: java.lang.Exception: The client credential cannot be delegated
at com.compositesw.common.pool.jdbc.JdbcConnectionInitiator.initKerberosSubject(JdbcConnectionInitiator.java:159)
at com.compositesw.common.pool.jdbc.JdbcConnectionInitiator.getKerberizedConnection(JdbcConnectionInitiator.java:55)
-----------------------------------------------------------------------
The error means that:
(1) Active Directory is not configured to allow the TDV service to use constrained delegation.
or:
(2) The KDC is generating a ticket that does not have the OK-AS-DELEGATE and/or FORWARDABLE flags set.
To troubleshoot, begin by using unconstrained delegation as follows and see whether this resolves the error:
1. Open Active Directory, go to the TDV service, and click on the Delegation tab.
2. Select Trust this user for delegation to any service (Kerberos only).
If this resolves the problem, it means that unconstrained delegation is working. Therefore, proceed to check constrained delegation as follows:
3. Change the Delegation setting in Active Directory
From : Select Trust this user for delegation to any service (Kerberos only)
To : Trust this user for delegation to specified services only.
4. Type the name of the service that TDV needs to delegate to (e.g. SQL Server) in the textbox titled Services to which this account can present delegated credentials. Make sure to type the name in accurately.
If the above steps do not resolve the error, the error is likely to be due to a Kerberos ticket issue. More specifically, the ticket cannot be used for constrained delegation because it is missing certain flags.
5. Run <TDV_INSTALL_DIR>\jdk\bin\ klist.exe to list the tickets.
6. Look through the list of tickets to identify the TGT ticket for the TDV service.
7. Does this ticket have the OK-AS-DELEGATE and FORWARDABLE flags?
Below is a sample klist output.
---------------------------------------------
D:\>klist
Cached Tickets: (2)
#1> Client: ...
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent ok-as-delegate name_canonicalize
----------------------------------------------
In particular, TDV looks for OK-AS-DELEGATE as this flag explicitly authorizes TDV to delegate the ticket.
The following Microsoft article explains that the KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation :
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/de260077-1955-447c-a120-af834afe45c2
The following RFA provides additional information on the flag:
https://www.ietf.org/rfc/rfc4120.txt
If these flags are missing, please work with your Active Directory administrator and KDC administrator to configure the Kerberos environment to set the flags, and then try constrained delegation once more.
----------------------------------------------------------------------
Caused by: java.lang.Exception: The client credential cannot be delegated
at com.compositesw.common.pool.jdbc.JdbcConnectionInitiator.initKerberosSubject(JdbcConnectionInitiator.java:159)
at com.compositesw.common.pool.jdbc.JdbcConnectionInitiator.getKerberizedConnection(JdbcConnectionInitiator.java:55)
-----------------------------------------------------------------------
The error means that:
(1) Active Directory is not configured to allow the TDV service to use constrained delegation.
or:
(2) The KDC is generating a ticket that does not have the OK-AS-DELEGATE and/or FORWARDABLE flags set.
To troubleshoot, begin by using unconstrained delegation as follows and see whether this resolves the error:
1. Open Active Directory, go to the TDV service, and click on the Delegation tab.
2. Select Trust this user for delegation to any service (Kerberos only).
If this resolves the problem, it means that unconstrained delegation is working. Therefore, proceed to check constrained delegation as follows:
3. Change the Delegation setting in Active Directory
From : Select Trust this user for delegation to any service (Kerberos only)
To : Trust this user for delegation to specified services only.
4. Type the name of the service that TDV needs to delegate to (e.g. SQL Server) in the textbox titled Services to which this account can present delegated credentials. Make sure to type the name in accurately.
If the above steps do not resolve the error, the error is likely to be due to a Kerberos ticket issue. More specifically, the ticket cannot be used for constrained delegation because it is missing certain flags.
5. Run <TDV_INSTALL_DIR>\jdk\bin\ klist.exe to list the tickets.
6. Look through the list of tickets to identify the TGT ticket for the TDV service.
7. Does this ticket have the OK-AS-DELEGATE and FORWARDABLE flags?
Below is a sample klist output.
---------------------------------------------
D:\>klist
Cached Tickets: (2)
#1> Client: ...
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent ok-as-delegate name_canonicalize
----------------------------------------------
In particular, TDV looks for OK-AS-DELEGATE as this flag explicitly authorizes TDV to delegate the ticket.
The following Microsoft article explains that the KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation :
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/de260077-1955-447c-a120-af834afe45c2
The following RFA provides additional information on the flag:
https://www.ietf.org/rfc/rfc4120.txt
If these flags are missing, please work with your Active Directory administrator and KDC administrator to configure the Kerberos environment to set the flags, and then try constrained delegation once more.
Feedback
Yes
No
Powered by
