TIBCO Spotfire® Server and Environment - Installation and Administration

Using Kerberos authentication with delegated credentials

Users can authenticate to different data sources using single sign-on login information. The server can delegate the user authentication to the data source, either through Information Services, or through a connector. This is possible only if you use the Kerberos single sign-on method.

About this task

If you are using a JDBC driver that supports passing the delegated user's Generic Security Standard (GSS) credentials through a connection property, then you can use constrained delegation with Information Services.

To enable constrained delegation for these drivers, add the following connection property to the corresponding Data Source Template. 

 <connection-property>
      <key>spotfire.kerberos.gsscredential.property</key>
      <value>connectionPropertyName</value>
    </connection-property>
Where connectionPropertyName is driver-specific. (Refer to your driver's documentation for more information.)

Before you begin

For delegation to work, no client user account in the domain can have the setting Account is sensitive and cannot be delegated. By default, this setting is not enabled.

Procedure

  1. Set up Kerberos authentication as described in Kerberos authentication. Make sure that users can log in with this method.
  2. Grant the right to delegate client credentials to the Spotfire Server service account that is used for client authentication.
    Note: Only the specified accounts can be delegated by the service account.
    Note: The default delegation policy is "REQUIRE". This means that if Spotfire Server cannot delegate end user credentials, end users will not be able to open analyses in the web client. Prior to Spotfire version 7.7, the default delegation policy was "TRY", which would open analyses using impersonation if delegation failed.
Copyright © Cloud Software Group, Inc. All rights reserved.