Private Key on node must be accessible to delegated users to be able to use TERR Service
book
Article ID: KB0080169
calendar_today
Updated On:
Description
In an environment with kerberos delegation to the Spotfire Web Player you might end up in a situation where access to other Spotfire components fails due to:
WinHttp request failed with code (12186): ClientCertificateNoAccessPrivateKey
This line is logged on DEBUG so it's not always clear that this is the reason in the following ERROR message.
One of the situations this can happen is when you try to access the TERRservice, if the TERRservcie URL in question has not been successfully accessed recently (by a user having access to the certificate private key).
Environment
TIBCO Spotfire Server + Web Player + TERR Service
Resolution
- Grant read access to the certificate private key for the group "Authenticated Users"
- On the Node Manager in question, open mmc.exe, add Snap-in certificate for Local computer
- Open Console Root/Certificates/Personal/Certificates and right click on the certificate issued by "TIBCO Spotfire Signing CA"
- Under All Tasks you find "Manage Private keys..."
- Add the Group "Authenticated Users" (or any other AD group defining all intended users) and grant read
After this you should not get ClientCertificateNoAccessPrivateKey
Issue/Introduction
WinHttp request failed with code (12186): ClientCertificateNoAccessPrivateKey, in Kerberos delegation environment, if the user has no access to the private key.
Granting access to the private key for "Authenticated users" solves the issue.
Feedback
thumb_up
Yes
thumb_down
No