Can anybody advice on it?

Kerberos Authentication fails. Can anybody advice on it? Thanks a lot.

After following the manual to configure Kerberos authentication on Spotfire Server (6.5), I failed to use the Spotfire thick client to log on. The log shows,

      ERROR 2015-09-15T22:48:35,936-0500 [unknown, #1] server.security.KerberosAuthenticator: Failure when         executing privileged Kerberos authentication action
      GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode         with HMAC SHA1-96 is not supported/enabled)

Try 1:

- Download JCE for 1.7, and put these two policies files under jre/lib/security folder

- Restart Spotfire server

- Start the thick client. The logs shows a different error:

      ERROR 2015-09-16T21:38:22,098-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when         executing privileged Kerberos authentication action

      GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find       key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

Try 2:

- Since the above error indicates key of AES256 in not found, re-generate keytab by the below command:

       ktpass /princ HTTP/xxx.xxx.xxx:9191@XXX.XXX /ptype krb5_nt_principal /crypto all /mapuser spotsvc /out            spotfire.keytab ?kvno 0 /pass *

- Then copy this new keytab to the server

- Restart Spotfire server

- Start the thick client. The logs shows a different error:

     ERROR 2015-09-17T13:07:36,376-0500 [unknown, #0] server.security.KerberosAuthenticator: Failure when          executing privileged Kerberos authentication action

     GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

Try 3:

- Modify Krb5.conf to add a type of AES256,

                default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac

                default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac

- Restart Spotfire server

- Start the thick client. The logs shows the same error as the one of Try 2.

(18) Answers

Login