Spotfire server may fail to start after configuring Kerberos authentication.
Article ID: KB0076699
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | All Versions |
Description
Spotfire server may fail to start after configuring Kerberos authentication with below error seen in server logs(server.log) :
=====
ERROR 2019-10-17T11:58:16,583+0900 [*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'kerberosCredentialsManager' defined in class path resource [applicationContext.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.KerberosCredentialsManager]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal
....
....
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.KerberosCredentialsManager]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal
....
....
Caused by: javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
=====
For this issue, if you enabled extra debug logging in Spotfire server configuration tool, you may also come across below error in stdout.log file:
=====
Key for the principal HTTP/test_machine.analytics.com@ANALYTICS.COM not available in C:\tibco\tss\10.3.3\tomcat\spotfire-config\spotfire.keytab
[Krb5LoginModule] authentication failed
No CallbackHandler available to garner authentication information from the user
=====
=====
ERROR 2019-10-17T11:58:16,583+0900 [*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'kerberosCredentialsManager' defined in class path resource [applicationContext.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.KerberosCredentialsManager]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal
....
....
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.KerberosCredentialsManager]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal
....
....
Caused by: javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
=====
For this issue, if you enabled extra debug logging in Spotfire server configuration tool, you may also come across below error in stdout.log file:
=====
Key for the principal HTTP/test_machine.analytics.com@ANALYTICS.COM not available in C:\tibco\tss\10.3.3\tomcat\spotfire-config\spotfire.keytab
[Krb5LoginModule] authentication failed
No CallbackHandler available to garner authentication information from the user
=====
Issue/Introduction
Spotfire server may fail to start after configuring Kerberos authentication.
Resolution
One of the possible reasons for this issue is if Spotfire server Kerberos service account has no privilege to access keytab file path in Spotfire server installation directory.
Make sure to provide required access (Read + Write + Modify or Full Control) to Spotfire server Kerberos service account on below keytab file path :
For Spotfire server version 10.3 and above:
<Spotfire Server Install Dir>\tomcat\spotfire-config\spotfire.keytab
For Spotfire server version 10.2 and below:
<Spotfire Server Install Dir>\jdk\jre\lib\security\spotfire.keytab
Make sure to provide required access (Read + Write + Modify or Full Control) to Spotfire server Kerberos service account on below keytab file path :
For Spotfire server version 10.3 and above:
<Spotfire Server Install Dir>\tomcat\spotfire-config\spotfire.keytab
For Spotfire server version 10.2 and below:
<Spotfire Server Install Dir>\jdk\jre\lib\security\spotfire.keytab
Additional Information
Note:
This issue may occur because of multiple possible reasons. You can refer below KB articles for similar issue:
https://support.tibco.com/s/article/Kerberos-authentication-may-fail-after-upgrading-to-Spotfire-10-3
https://support.tibco.com/s/article/Spotfire-server-fails-to-start-with-Failure-acquiring-a-Kerberos-TGT-for-the-service-principal-error-after-the-upgrade
This issue may occur because of multiple possible reasons. You can refer below KB articles for similar issue:
https://support.tibco.com/s/article/Kerberos-authentication-may-fail-after-upgrading-to-Spotfire-10-3
https://support.tibco.com/s/article/Spotfire-server-fails-to-start-with-Failure-acquiring-a-Kerberos-TGT-for-the-service-principal-error-after-the-upgrade
Feedback
Yes
No
Powered by
