In some cases, a login may fail when using external authentication on the Spotfire Server if the login username contains the domain name in DNS form. The reason for this failure is that Tomcat, by default, strictly adheres to the HTTP specification (RFC 2616), which considers the @ sign as a separator. Therefore it disallows a number of characters in cookie values, including the @ sign. This means that cookie values with typical usernames in the DNS form (user@example.com) will lose the domain name part of each cookie value before it reaches the Spotfire Server application. 

While there exist a number of workarounds to resolve the issue, you can use either one of the following recommended workarounds.

1).  Escape the cookie value if it is set by some proxy server, by surrounding it with double quotes (") .

 OR

2).  On the Spotfire Server, edit the tomcat/conf/context.xml file and add to the context element the following:

 -----------------------------------------------------------------------------------------------------------------------------------------

       <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" />

------------------------------------------------------------------------------------------------------------------------------------------

Save and restart the Spotfire Server service. This will switch to a newer and more lenient cookie processor.

• https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html