Enabling constrained delegation

This is the second step in the process of setting up Kerberos authentication with delegated credentials for your Spotfire implementation. It allows the Spotfire Server to delegate user credentials to nodes or to the external Information Services process.

Procedure

On the domain controller, go to Administrative Tools.
Select Active Directory Users and Computers.
Locate the Spotfire Server service account.
To open the account properties, right-click the account name and then click Properties.
On the Delegation tab, select Trust this user for delegation to specified services only.

Note: The Delegation tab is visible only for accounts to which SPNs are mapped.
Select Use any authentication protocol, and then click Add.
Do one of the following:
- For nodes, click Users or Computers and select each user account or machine account that runs the node manager service on your nodes.
  Note: If the node manager services are run by user accounts, you must first register SPNs for these. See Setting up Kerberos authentication on nodes.
- For Information Services, click Users or Computers and select the same Spotfire Server service account as in step 3.
  Note: You must select the same Spotfire service account because an Information Services process and the Spotfire Server run on the same computer.
Select the http service for each account, and then click OK.
Click Apply.

What to do next

Enabling constrained delegation on nodes