Kerberos SSO Spotfire

Hi all,

we have configured Spotfire Server and Web Player to use Kerberos SSO authentication. We have the Server installed on Linux Server and the service run as root user. The Web Player installed on Window Server and run as service account user. So we are able to log in Spotfire Server web UI and from Analyst client. From Analyst we are also able to run reports that use kerberized data source.

The issue is the report visualization throught Spotfire Server web UI. I think could be a delegation problem. How we have to configure delegation in this case?

This is the error:

ERROR 2018-02-26T11:24:17,114+0100 [user@TEST.COM, #27, #65357] wp.router.DelegatingStrategy: Kerberos login to webplayerserver.test.com failed. Response status: 401, response body: "Could not authenticate user 'user@TEST.COM'."
org.springframework.web.client.HttpClientErrorException: 401 Unauthorized (Could not authenticate user 'user@TEST.COM'.)
        at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:628) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:423) ~[spring-web.jar:4.3.7.RELEASE]
        at com.spotfire.server.wp.router.LoginExecutor.executeWithAuthorization(DelegatingStrategy.java:284) ~[common-services.jar:?]
        at com.spotfire.server.wp.router.DelegatingStrategy.lambda$doDelegate$0(DelegatingStrategy.java:172) ~[common-services.jar:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
        at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_131]
        at com.spotfire.server.wp.router.DelegatingStrategy.doDelegate(DelegatingStrategy.java:138) ~[common-services.jar:?]
        at com.spotfire.server.wp.router.DelegatingStrategy.doLogin(DelegatingStrategy.java:91) ~[common-services.jar:?]
        at com.spotfire.server.wp.router.RequireDelegationStrategy.login(RequireDelegationStrategy.java:50) ~[common-services.jar:?]
        at com.spotfire.server.wp.router.HttpLoginAndRetryService.loginKerberos(HttpLoginAndRetryService.java:436) ~[common-services.jar:?]
        at com.spotfire.server.wp.router.HttpLoginAndRetryService.loginIfNeeded(HttpLoginAndRetryService.java:411) ~[common-services.jar:?]
        at com.spotfire.server.wp.router.HttpLoginAndRetryService.executeWithLogin(HttpLoginAndRetryService.java:230) ~[common-services.jar:?]
        at com.spotfire.server.wp.router.HttpLoginAndRetryService.postForObject(HttpLoginAndRetryService.java:119) ~[common-services.jar:?]
        at com.spotfire.server.wp.controller.ViewAnalysisController.getAnalysisInfoByLibItemId(ViewAnalysisController.java:691) ~[common-services.jar:?]
        at com.spotfire.server.wp.controller.ViewAnalysisController.openAnalysis(ViewAnalysisController.java:276) ~[common-services.jar:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_131]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_131]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_131]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_131]
        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:116) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) ~[servlet-api.jar:?]
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) ~[spring-webmvc.jar:4.3.7.RELEASE]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) ~[servlet-api.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-websocket.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1021) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$AuthConstraintFilter.doFilter(SecurityFilter.java:920) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:987) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1016) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$AuthenticationFilter.doFilter(SecurityFilter.java:338) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:987) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1016) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$UserDataConstraintFilter.doFilter(SecurityFilter.java:860) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:987) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1016) ~[server.jar:?]
        at com.spotfire.server.security.SecurityFilter.doFilter(SecurityFilter.java:160) ~[server.jar:?]
        at com.spotfire.server.security.AbstractFilter.doFilter(AbstractFilter.java:124) ~[server.jar:?]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web.jar:4.3.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at com.spotfire.server.security.CustomAuthFilterWrapper.doFilter(CustomAuthFilterWrapper.java:89) ~[server.jar:?]
        at com.spotfire.server.security.AbstractFilter.doFilter(AbstractFilter.java:124) ~[server.jar:?]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web.jar:4.3.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at com.spotfire.server.security.CsrfFilter.doFilter(CsrfFilter.java:64) ~[server.jar:?]
        at com.spotfire.server.security.AbstractFilter.doFilter(AbstractFilter.java:124) ~[server.jar:?]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web.jar:4.3.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at com.spotfire.server.security.HttpMethodsFilter.doFilter(HttpMethodsFilter.java:179) ~[server.jar:?]
        at com.spotfire.server.security.AbstractFilter.doFilter(AbstractFilter.java:124) ~[server.jar:?]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web.jar:4.3.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at com.spotfire.server.security.headers.HeadersFilter.doFilter(HeadersFilter.java:195) ~[server.jar:?]
        at com.spotfire.server.security.AbstractFilter.doFilter(AbstractFilter.java:124) ~[server.jar:?]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web.jar:4.3.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at com.spotfire.server.security.AccessLogFilter.doFilter(AccessLogFilter.java:73) ~[server.jar:?]
        at com.spotfire.server.security.AbstractFilter.doFilter(AbstractFilter.java:124) ~[server.jar:?]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web.jar:4.3.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at com.spotfire.server.security.RequestContextFilter.doFilter(RequestContextFilter.java:117) ~[server.jar:?]
        at com.spotfire.server.security.AbstractFilter.doFilter(AbstractFilter.java:124) ~[server.jar:?]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web.jar:4.3.7.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web.jar:4.3.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[catalina.jar:8.5.16]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) ~[catalina.jar:8.5.16]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) ~[catalina.jar:8.5.16]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) ~[catalina.jar:8.5.16]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[catalina.jar:8.5.16]
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) ~[tomcat-coyote.jar:8.5.16]
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-coyote.jar:8.5.16]
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat-coyote.jar:8.5.16]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) ~[tomcat-coyote.jar:8.5.16]
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:8.5.16]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.5.16]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

 

Any advice and suggestions will be greatly appreciated.

(4) Answers

Login