Setting up Kerberos authentication on nodes
After setting up Kerberos authentication on Spotfire Server, you must set it up for the nodes in your environment.
Note: If you use Kerberos delegation, your
Spotfire Server and Node Managers must be installed on different computers.
The account used to run the node manager service must be trusted for delegation, and you might need to register Service Principal Names (SPN) for that account. Also, all web client users must be given permission to modify the node manager services folder.
- If the node manager service is run using the local machine account, open the Active Directory Users and Computers MMC snap-in, select the machine account, and then select Trust this computer for delegation to any service.
- If the node manager service is run using a specified user account, open the Active Directory Users and Computers MMC snap-in, select the user account, and then select
Trust this user for delegation to any service.
If the node manager service is run using a specified user account, you must also register Service Principal Names (SPN) for that account.
> setspn -S HTTP/<fully qualified node hostname>[:<port>] <node service account name> > setspn -S HTTP/<node hostname>[:<port>] <node service account name>
For information on how to register SPNs, see Registering Service Principal Names.
All web client user accounts must be given permission to modify the folder nm\services. This permission allows the delegated users to read, write, and delete temp files.
Note: As of Spotfire version 7.7, the default delegation policy is "REQUIRE". This means that if Spotfire Server cannot delegate end user credentials, users will not be able to open analyses in the web client. Prior to this, the default delegation policy was to open analyses using impersonation if delegation failed. For details on this option, see
config-kerberos-auth.
Note: If
Spotfire Connectors are used for the
Web Player service, all delegated web client users must also have access to the applicable connector drivers.