Kerberos authentication failed

Hi all,

I have installed Spotfire Server and I'm trying to configure Kerberos and Ldap GSSAPI. From configuration tool I'm able to interrogate LDAP and add the users. Also from the command line I'm able to get Kerberos ticket using principal and keytab.

After following all steps of the official documentation to configure Kerberos authentication on Spotfire Server (7.10), without any kind of problem, I failed to authenticate on Spotfire Server Web App.

The log shows:

      ERROR 2015-09-15T22:48:35,936-0500 [unknown, #1] server.security.KerberosAuthenticator: Failure when         executing privileged Kerberos authentication action
      GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode         with HMAC SHA1-96 is not supported/enabled)

 

Any advices?

Thanks a lot,

Giandomenico

3 Comments

Hello,

From the documenation-

> setspn -S HTTP/<fully qualified hostname>[:<port>] <service account name>

> setspn -S HTTP/<hostname>[:<port>] <service account name>

> setspn -S HTTP/<fully qualified hostname> <service account name>

> setspn -S HTTP/<hostname> <service account name>

https://docs.tibco.com/pub/spotfire_server/7.11.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-3391E621-6DE0-4A93-AA3E-2EE6F2633545.html

Sayali Patil - Nov 29, 2017 - 9:09am ::

Hi,

we have registered two SPN:

HTTPS/tibcosrv01.xx.example.it:443

HTTPS/tibcosrv01.xx.example.it

But the authentication fail.

Any advices?

Thanks,

Giandomenico

giandomenico.av... - Nov 29, 2017 - 2:45am ::

Hello,

By default, a client does not include a port number in SPN within the TGS request for Kerberos Authentication. The authentication fails as SPN without a port is not registered in the Domain Controller. 

Have you registered SPN's using the hostname:port as well as one with just the hostname?IF not please give it a try.

Sayali Patil - Nov 29, 2017 - 12:51am ::
View More Comments + Add a Comment

(1) Answer

Login