You must enable constrained delegation for your nodes. It allows the service on the node to delegate user credentials to the
Spotfire Server and access external resources.
Procedure
-
On the domain controller, go to
Administrative Tools.
-
Select Active Directory Users and Computers.
-
Locate the machine accounts or user accounts that runs the node manager services.
Note: Steps 4 through 11 must be performed for each account that runs a node manager service.
-
To open the account properties, right-click the account name and then click
Properties.
-
On the
Delegation tab, select
Trust this user for delegation to specified services only.
Note: The
Delegation tab is visible only for accounts to which SPNs are mapped. If the node manager services are run by user accounts, you must first register SPNs for these. See
Setting up Kerberos authentication on nodes.
-
Select
Use any authentication protocol, and then click
Add.
-
Click
Users or Computers and select any
Spotfire Server service account.
-
Select the
http service for each
Spotfire Server service account, and then click
OK.
-
Click
Users or Computers and select any machine account or service account for a computer running the external resource you want to delegate to.
-
Select the applicable services for each account, and then click
OK.
For example the
MSSQLSvc service for delegation to a Microsoft SQL Server or the
CIFS service for delegation to a file share.
-
Click
Apply.