When setting up Kerberos authentication on the TIBCO Spotfire Server, we may see the following error appear in the server.log:

ERROR 2020-04-28T10:56:49,284-0500 [unknown, #5, #123] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
...
Caused by: sun.security.krb5.KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
...
ERROR 2020-04-28T10:56:56,534-0500 [unknown, #5, #132] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : SPNEGO NegoTokenTarg : did not have the right token type)

While the error “Defective token detected” likely means that an NTLM token was detected, the message "did not have the right token type"  implies that the information within the token was incorrect. 

An example is if the keytab was created with crypto as AES-256 or AES-128 and krb5.conf set with the appropriate encryption types yet if the service account did not have the AES-256 / AES-128 encryption enabled in the service account properties, we may see the following error:
         "SPNEGO NegoTokenTarg : did not have the right token type"

Make sure that the service account properties has the the following options checked as shown below: