Configure Kerberos Auth on TIBCO Spotfire Server

This article details how to configure Kerberos authentication for TIBCO Spotfire.

PREREQUISITES:

NOTE:

For Kerberos Auth, having RDP running on Spotfire Server is preferred.  RDP can also be deployed on a Windows device outside the Spotfire Server or Spotfire cluster.

In such case, the following requirements must be met:

  • This server has to run within corporate Active Directory.
  • Spotfire service account has to available from this device.
  • 4444 port has to be available to listen to API responses.

The example below describes configuration with RDP deployed separately. 

1. Change Registry Settings

  1. Access HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    • OR depending on the OS version HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
  2. Add a new parameter using:
    • Value Name: allowtgtsessionkey
    • Value Type: REG_DWORD
    • Value: 0x01

2. Copy krb5.conf File from TIBCO Spotfire Server to the RDP Machine

Locate and copy krb5.conf file from the TIBCO Server to the device where RDP is running

3. Access Services and Locate Metric Insights Data Processor Daemon on RDP

  1. Right-click Metric Insights Data Processor Daemon to access Properties
  2. Choose Log On tab
  3. Set up "Log On As" for Data Processor Service to work as a service account used on TIBCO Spotfire
  4. [OK]

4. Enable Kerberos Auth under Optional Parameters in Plugin Data Source Editor

  1. Enter Kerberos as Authentication type
  2. Specify a path to where krb5.conf file is located on RDP