Spotfire Server KERBEROS ERROR "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))"
Article ID: KB0076674
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | 7.5 and higher |
Description
You may encounter login issues (Kerberos authentication/SSO) and Spotfire server log will show:
-------------------------------------------------------------------------------------------------------------------------------------------
ERROR 2019-10-21T09:40:36,897+0400 [userID@domainname, #58, #65895] wp.router.DelegatingStrategy: Kerberos login to XXXXXwebp1.domainname failed
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454) ~[?:1.8.0_191]
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_191]
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_191]
at com.spotfire.server.wp.router.DelegatingStrategy.lambda$doDelegate$0(DelegatingStrategy.java:167) ~[common-services.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_191]
ERROR 2019-10-21T09:40:36,897+0400 [userID@domainname, #58, #65895] wp.router.DelegatingStrategy: Kerberos login to XXXXXwebp1.domainname failed
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))
-------------------------------------------------------------------------------------------------------------------------------------------
Issue/Introduction
How to troubleshoot KERBEROS ERROR "No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Connection timed out: connect))"
Environment
All Supported Operating systems
Resolution
- Such issues are seen where the KDC picked did not respond on time. Maybe the the AD (active directory) server that is first in the list from the DNS is not responding.
- As a test try to pick a specific server as the KDC and update the same in "krb5.conf" under "realms", instead of using the dns response for "domainname.com"
- Contact the Domain Admin to fetch the required KDC name.
- Restart the Spotfire Server service for the changes to take effect.
NOTE:
In version 10.2 and lower "krb5.conf" is located in (“<TSS install dir>\jdk\jre\lib\security)
In version 10.3 and later "krb5.conf" is located in (“<TSS install dir>\tomcat\spotfire-config)
- As a test try to pick a specific server as the KDC and update the same in "krb5.conf" under "realms", instead of using the dns response for "domainname.com"
- Contact the Domain Admin to fetch the required KDC name.
- Restart the Spotfire Server service for the changes to take effect.
NOTE:
In version 10.2 and lower "krb5.conf" is located in (“<TSS install dir>\jdk\jre\lib\security)
In version 10.3 and later "krb5.conf" is located in (“<TSS install dir>\tomcat\spotfire-config)
Feedback
Yes
No
Powered by
