Common issues when using impersonation in TIBCO Spotfire® Web Player

Last updated:
10:37am Dec 02, 2015

Introduction

Impersonation is a complementary authentication method typically used by the TIBCO Spotfire® Web Player that allows super-users, known as impersonators, to assume the identity of a specified user. This article lists the most common reasons for why impersonation fails and how to solve it.

Symptoms

The Web Player will display one of the following error messages:

The user  could not be identified.
Could not authenticate user 'username'.

The Web Player log will typically contain authentication errors:

INFO  2013-01-1814:30:17,262 [10, (null)] Spotfire.Dxp.Services.Authenticator - Failed toauthenticate user 'username': non_auth.

System.FormatException: Guid should contain 32 digits with 4dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
   at System.Guid.GuidResult.SetFailure(ParseFailureKind failure, StringfailureMessageID, Object failureMessageFormatArgument, String failureArgumentName,Exception innerException)
   at System.Guid.TryParseGuidWithNoStyle(String guidString, GuidResult& result)
   at System.Guid.TryParseGuid(String g, GuidStyles flags, GuidResult& result)
   at System.Guid..ctor(String g)
   at Spotfire.Dxp.Services.Authenticator.Authenticate(SpotfireIdentity identity,PrincipalProvider provider)

ERROR 2013-01-18 14:30:17,262 [10, (null)]Spotfire.Dxp.Web.BasicWebAuthenticator - Failed to login user'' from windows identity.

System.Security.Authentication.AuthenticationException: Theuser  could not be identified.
   at Spotfire.Dxp.Services.Authenticator.Authenticate(SpotfireIdentity identity,PrincipalProvider provider)
   at Spotfire.Dxp.Web.WebAuthenticator.PerformAuthenticate(SpotfireIdentityidentity, PrincipalProvider provider, Boolean createUserSession)
   at Spotfire.Dxp.Web.BasicWebAuthenticator.SessionStart(HttpContext context)

Cause

There are several possible causes:

  • Impersonation has not been enabled on the Spotfire server
  • The impersonation user is not permitted to use the impersonation feature
  • The (Web Player) hostname is not permitted to use the impersonation feature
  • Wrong impersonation username or password

Resolution

Depending on the cause the resolution is different. The server.log (\tomcat\logs\server.log) can be used to determine the proper resolution path. Here are some examples from server.log:

Impersonation not allowed, the feature is not enabled

INFO 2013-01-18 14:34:34,764 [,#6] security.config.ImpersonationConstraint: Impersonation not allowed, the feature is not enabled

Impersonation must be enabled using the 'config-impersonation-auth' command.

Impersonation not allowed, cannot be done by user ''

INFO 2013-01-18 14:40:43,397 [,#2] security.config.ImpersonationConstraint: Impersonation not allowed, cannot be done by user ''

Impersonation must be enabled for the user using the 'config-impersonation-auth' and the '--allowed-users' flag.

Impersonation not allowed from IP address

INFO 2013-01-18 14:47:45,121 [,#8] security.config.ImpersonationConstraint: Impersonation not allowed from IP address

Impersonation must be enabled for the hostname or ip from which the Web Player is connecting to the Spotfire server. It can be done with the command 'config-impersonation-auth' and the '--allowed-hosts' flag. Note that the hostname can be either an IP-adress or valid DNS hostname that the Web Player can resolve from the connecting IP address, a reverse lookup. A Windows(NetBios) computer name will not work.

Failed to authenticate user '': illegal password

INFO 2013-01-18 14:54:17,923 [unknown, #2]jaas.dblogin.DBLoginModule: Failed to authenticate user '': illegal password

From the error message above it's clear that the password is wrong and need to be corrected. There will also be a problem if the password is correct but the user authorized for logging in to the Spotfire Server. A common mistake is to forget to type the domain as part of the username. The username should be entered as 'DOMAIN\username' in Web Player's web.config file (\webroot\web.config).

Example:



    domain\impersonationaccount


    ninja


General recommendations

If you encounter problems it's recommended to enable impersonation without any restrictions first and get it working before adding restrictions on allowed users and hosts. However leaving impersonation unrestricted is not recommended because it's a potential security risk.

Verified in versions

  • TIBCO Spotfire® server 4.5 or 5.0
  • TIBCO Spotfire® Web Player 4.5 or 5.0 configured for any of the following authentication methods:
     
  • Single Sign-On Using Impersonation with Kerberos Login System
  • Single Sign-On Using Impersonation with NTLM Login System
  • Single Sign-On Using Impersonation with Basic Login System
  • Anonymous (Preconfigured) Access

References

Web Player Installation Manual

TIBCO Spotfire® Server Manual