Product: TIBCO Spotfire®
Spotfire Kerberos configuration may fail with error "Failure unspecified at GSS-API level (Mechanism level: Checksum failed)"
When Kerberos is set up on the Spotfire server, the authentication attempts may fail. Spotfire server.log may capture errors like the following:
2019-05-06T07:08:16,597-0500 [unknown, #0, #6] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
A probable reason for this error is that the SPN's are registered for CNAME (alias) instead of the A record (actual hostname) for the Spotfire server machine.
The A and CNAME records are the two common ways to map a hostname ("name") to one or more IP addresses. The difference between the 2 is as follows:
An A record points a name to an IP address.
A CNAME record can point a name to another CNAME or to an A record.
If the SPN's are registered for the CNAME then the client does not correctly form the SPN in the TGS request by creating it using the hostname (A Record) but the alias name (CNAME).
Here is an example:
A Record: spotfireserver.mydomain.com
CNAME: spotfire.mydomain.com (aliases spotfireserver.mydomain.com)
In this case, SPN's are registered for the CNAME.
If the client attempts to authenticate with http://spotfire.mydomain.com, the client does not correctly form the SPN and requests a Kerberos ticket for http://spotfireserver.mydomain.com instead of http://spotfire.mydomain.com
External: Differences Between A and CNAME Records