Spotfire Server KERBEROS ERROR "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))"

Spotfire Server KERBEROS ERROR "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))"

book

Article ID: KB0076674

calendar_today

Updated On:

Products Versions
Spotfire Server 7.5 and higher

Description


You may encounter login issues (Kerberos authentication/SSO) and Spotfire server log will show:
-------------------------------------------------------------------------------------------------------------------------------------------
ERROR 2019-10-21T09:40:36,897+0400 [userID@domainname, #58, #65895] wp.router.DelegatingStrategy: Kerberos login to XXXXXwebp1.domainname failed
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454) ~[?:1.8.0_191]
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_191]
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_191]
    at com.spotfire.server.wp.router.DelegatingStrategy.lambda$doDelegate$0(DelegatingStrategy.java:167) ~[common-services.jar:?]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
    at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_191]

ERROR 2019-10-21T09:40:36,897+0400 [userID@domainname, #58, #65895] wp.router.DelegatingStrategy: Kerberos login to XXXXXwebp1.domainname failed
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))
-------------------------------------------------------------------------------------------------------------------------------------------
 

Environment

All Supported Operating systems

Resolution

- Such issues are seen where the KDC picked did not respond on time. Maybe the the AD (active directory) server that is first in the list from the DNS is not responding.
- As a test try to pick a specific server as the KDC and update the same in "krb5.conf" under "realms", instead of using the dns response for "domainname.com"
- Contact the Domain Admin to fetch the required KDC name.
- Restart the Spotfire Server service for the changes to take effect.

NOTE:
In version 10.2 and lower "krb5.conf" is located in (“<TSS install dir>\jdk\jre\lib\security)
In version 10.3 and later "krb5.conf" is located in (“<TSS install dir>\tomcat\spotfire-config)

Issue/Introduction

How to troubleshoot KERBEROS ERROR "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))"
Powered by Wolken Software