As of TS 5.0.1 HF-012, TS 5.5 HF-05 and TS 6.0, there was a change in the authentication flow of the Scheduled Updates user when using Scheduled Updates together with NTLM or Kerberos (Windows authentication) on the Web Player.

When using Windows authentication on the Web Player, the Scheduled Updates user defined in web.config is now first logged in locally on the server/computer where the Web Player is installed before being authenticated against the Spotfire server. This was not the case in earlier versions. This can lead to different issues, one being that the user defined as the Scheduled Updates user needs to have login rights to the Windows server that the Web Player is installed on.

Another issue can be if the Scheduled Updates user is not defined  as “domain\username”. If no domain is defined then the Scheduled Updates user might be considered a local user and the authentication might fail. So make sure the Scheduled Updates user is always defined as described in the manual with the form “domain\username”.

Symptoms:
If the Scheduled updates user is not granted the "Allow logon locally" permissions to be able to logon and initiate the scheduled updates, then Scheduled Updates will fail and the following error will be logged:

Spotfire.Dxp.Web.SiteManager - Failed to initialize the Scheduled Updates
 System.ComponentModel.Win32Exception (0x80004005): Logon failure: the user has not been granted the requested logon type at this computer

Cause:
Change in the authentication flow for the Scheduled Updates user when using Scheduled Updates together with NTLM or Kerberos (Windows authentication) on the Web Player.

Scheduled Updates fails on Web Players configured with NTLM or Kerberos (Windows Authentication) in IIS with the following error in the log: "Logon failure: the user has not been granted the requested logon type at this computer".

OPTION 1 - Grant "Allow logon locally" permissions:
Grant the Scheduled Updates user "Allow logon locally" permissions on the TIBCO Spotfire Web Player server.  Adding the user to the following Group policy will give the user the needed permissions:

• http://technet.microsoft.com/en-us/library/ee957044%28v=ws.10%29.aspx

OPTION 2 - Disable logon requirement:

Apply the following hotfixes (or later) and enable the old behavior by adding in the 'explicitLoginOfWindowsIdentity' and setting it to 'true'.

Minimum required hotfixes:

• TS 5.0.1 HF-013
• TS 5.5 HF-006
• TS 6.0 HF-001

Update the web.config by adding the following attribute to the scheduledUpdates node:

<spotfire.dxp.web>
  ...
  <setup>
    ...
    <scheduledUpdates ... explicitLoginOfWindowsIdentity="true">

Note for TIBCO Spotfire 6.5 and 7.0:
In TIBCO Spotfire 6.5, the Scheduled Updates user is only logged in if delegated Kerberos is enabled, i.e., when Windows authentication is enabled in IIS for the application and when the Spotfire impersonation is turned off. For 6.5 and the future this setting should no longer be used, instead it is recommended to allow the account to login (even though the configuration setting will still be maintained).

 

External: Grant a Member the Right to Logon Locally

• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee957044(v=ws.10)

Doc: TIBCO Spotfire Web Player Manual:

• https://docs.tibco.com/pub/spotfire_web_player/6.5.0/doc/pdf/TIB_sfire_webp_InstallationManual.pdf