Setting up Kerberos authentication on nodes
After setting up Kerberos authentication on Spotfire Server, you must set it up for the nodes in your environment.
Note: If you use Kerberos
delegation, your
Spotfire Server
and node managers must be installed on different computers.
The account used to run the node manager service must be trusted for delegation, and you might need to register Service Principal Names (SPN) for that account. Also, all web client users must be given permission to modify the node manager services folder.
- If the node manager service is run using the local machine account, open the Active Directory Users and Computers MMC snap-in, select the machine account, and then select Trust this computer for delegation to any service.
- If the node manager service
is run using a specified user account, open the Active Directory Users and
Computers MMC snap-in, select the user account, and then select
Trust this user for delegation to any service.
If the node manager service is run using a specified user account, you must also register Service Principal Names (SPN) for that account.
> setspn -S HTTP/<fully qualified node hostname>[:<port>] <node service account name> > setspn -S HTTP/<node hostname>[:<port>] <node service account name>
For information on how to register SPNs, see Registering Service Principal Names.
All web client user accounts must be given permission to modify the folder nm\services. This permission allows the delegated users to read, write, and delete temp files.
For information on delegation policy see config-kerberos-auth.
Note: If
Spotfire
Connectors are used for the
Web Player
service, all delegated web client users must also have access to the applicable
connector drivers.
- Enabling constrained delegation on nodes
You must enable constrained delegation for your nodes. It allows the service on the node to delegate user credentials to the Spotfire Server and access external resources.
Parent topic: Kerberos authentication