Create a Service Account in the Active Directory.
The first step includes creating a service account in the Active Directory. This account is used for delegation.
Please note that this service account is nothing but a normal user account that is created in Active Directory but unlike a normal service account, the password never expires for a service account.
Refer to the screenshot below:
Setup Service Principal Names (SPNs)
Execute the following commands to register Service Principal Names (SPNs).
NOTE:
If your Spotfire server is running on non-default ports ( other than 80 or 443) you will need to register 2 more SPNS with port numbers.
COMMAND SYNTAX:
setspn –s HTTP/<Spotfire server hostname>.<FQDN> <service account name> setspn –s HTTP/<Spotfire Server hostname> <service account name>
In the example below the Spotfire server hostname is ?Spot780? and the Spotfire server FQDN is ?spot780.east.local? (where east.local is the domain name)
setspn -s HTTP/spot780.east.local svcspot setspn -s HTTP/spot780 svcspot
Once service principal names are registered make sure they are registered successfully across your domain with the help of following command
setspn -l <spotfire server service account name>
setspn -l svcspot
Generate Keytab file using KTPASS
Generate the keytab file using KTPASS command
COMMAND SYNTAX:
ktpass /princ HTTP/<Spotfire server hostname FQDN>@<DOMAIN NAME> /mapuser <domain\service account> /ptype krb5_nt_principal /crypto rc4-hmac-nt /out spotfire.keytab /pass <service account password> /kvno 0
Example:
In our example below following are the details to be used in the KTPASS command
<Spotfire server hostname FQDN> : spot780.east.local
<DOMAIN NAME> : east.local
<domain\service account> : east\svcspot
<service account password> : Spotfire123
ktpass /princ HTTP/spot780.east.local@EAST.LOCAL /mapuser east\svcspot /ptype krb5_nt_principal /crypto rc4-hmac-nt /out spotfire.keytab /pass Spotfire123 /kvno 0
As seen in the screenshot above, upon executing the KTPASS command a new keytab file with the name spotfire.keytab will be created in the c:\ drive. This file is to be copied onto the Spotfire server to the following directory:
"<Spotfire server install directory>\jdk\jre\lib\security "
In our example we will copy spotfire.keytab to C:\tibco\tss\7.11.0\jdk\jre\lib\security
Update KRB5.conf
krb5.conf file is located in <installation dir>\tomcat\spotfire-config folder, before editing please take backup of the original krb5.conf
SYNTAX: [libdefaults] default_realm = <YOUR DOMAIN NAME IN UPPER CASE> default_keytab_name = <name of the keytab file generated with the KTPASS cmd> default_tkt_enctypes = <encryption type> default_tgs_enctypes = <encryption type> forwardable = true [realms] <YOUR DOMAIN IN UPPER CASE> = { kdc = <fqdn of the domain controller; you may list multiple DCs here> admin_server = <domain name> default_domain = <domain name> } [domain_realm] .<domain name in lower case> = <DOMAIN NAME IN UPPER CASE> <domain name in lower case> = <DOMAIN NAME IN UPPER CASE> [appdefaults] autologin = true forward = true forwardable = true encrypt = true EXAMPLE: The updated contents would look like: [libdefaults] default_realm = EAST.LOCAL default_keytab_name = spotfire.keytab default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac forwardable = true [realms] EAST.LOCAL = { kdc = dc.east.local admin_server = east.local default_domain = east.local } [domain_realm] .east.local = EAST.LOCAL east.local = EAST.LOCAL [appdefaults] autologin = true forward = true forwardable = true encrypt = true
KINIT command to verify keytab
Once the krb5.conf file is updated, it is now time to test if the keytab file generated using the KTPASS command is valid and can generate a ticket. We will execute the KINIT command to verify this.
NOTE: The KINIT tool exists in <Spotfire Server install drive>\tibco\tss\7.11.0\jdk\bin folder.
COMMAND SYNTAX:
kinit.exe -k -t <keytab file location\keytab file name> HTTP/<Spotfire server hostname FQDN>@<DOMAIN NAME>
Example:
C:\tibco\tss\7.5.0\jdk\bin>kinit.exe -k -t C:\tibco\tss\7.11.0\jdk\jre\lib\security\spotfire.keytab HTTP/spot780.east.local@EAST.LOCAL
Since the above command was executed by launching the command prompt as an administrator( nsawe user is an administrator), a new ticket is stored in the c:\users\nsawe folder. Please browse to this folder and remove this ticket to proceed to the next step.
Enable delegation on service account
To setup the service account for delegation with Kerberos, go to the service account properties on your domain controller. The delegation tab gets enabled once the KTPASS command is executed.On this delegation, tab select the second option to trust this user account for any service or you may select the 3rd option to grant specific services with delegation rights to this user.
Configure authentication in Spotfire server configuration tool
Open-up spotfire server configuration tool from your windows--> start menu or On the Spotfire Server browse to the following folder
<Spotfire Server install drive>\tibco\tss\7.11.0\tomcat\bin
Right click on uiconfig.bat and choose to run as administrator to launch the configuration tool and enter the tool password
-
Click on the Configuration tab, Configuration Start and choose the authentication as Kerberos. (As shown below)
-
Click on the "Authentication: Kerberos" on the left pane and on the right enter the Service Principal NameNote: The SPN is as in the KTPASS command executed above. In our example it is: HTTP/spot780.east.local@EAST.LOCAL
- Leave the keytab file location as is if you have copied the keytab to the lib\security folder on the Spotfire Server install folder.
- Click on the Save configuration, put in a comment and import the configuration settings to the database.
- Restart the Spotfire Service through Windows Services.
Note:
Checkout video tutorial showing kerberos configuration
Recommended Comments
There are no comments to display.