Private Key on node must be accessible to delegated users to be able to use TERR Service

Private Key on node must be accessible to delegated users to be able to use TERR Service

book

Article ID: KB0080169

calendar_today

Updated On:

Products Versions
Spotfire Web Player 10.0

Description

In an environment with kerberos delegation to the Spotfire Web Player you might end up in a situation where access to other Spotfire components fails due to:
  

WinHttp request failed with code (12186): ClientCertificateNoAccessPrivateKey

This line is logged on DEBUG so it's not always clear that this is the reason in the following ERROR message.

One of the situations this can happen is when you try to access the TERRservice, if the TERRservcie URL in question has not been successfully accessed recently (by a user having access to the certificate private key).

Environment

TIBCO Spotfire Server + Web Player + TERR Service

Resolution

  1. Grant read access to the certificate private key for the group "Authenticated Users" 
  2. On the Node Manager in question, open mmc.exe, add Snap-in certificate for Local computer
  3. Open Console Root/Certificates/Personal/Certificates and right click on the certificate issued by "TIBCO Spotfire Signing CA"
  4. Under All Tasks you find "Manage Private keys..."
  5. Add the Group "Authenticated Users" (or any other AD group defining all intended users) and grant read

After this you should not get ClientCertificateNoAccessPrivateKey

Issue/Introduction

WinHttp request failed with code (12186): ClientCertificateNoAccessPrivateKey, in Kerberos delegation environment, if the user has no access to the private key. Granting access to the private key for "Authenticated users" solves the issue.
Powered by Wolken Software