Product: TIBCO Spotfire®
Preparing the Spotfire environment for supporting constrained delegation to SQL Server datasource
When setting up the Spotfire environment with constrained delegation, the service accounts running the Spotfire Server and Node Manager.
Follow the steps given below to enable constrained delegation:
Note: This is applicable in case of connector datasources as well as Information Services datasources
- In the [libdefaults] section of the TSS's krb5.conf, add forwardable = true, if it is not already there.
- Constrained delegation must be set up for the TSS service account. In the Active Directory Users and Computers snap-in on the Domain Controller, edit the service account and go to the Delegation tab. Select the option "Trust this user for delegation to specified services only", and select "Use any authentication protocol", then add the HTTP service of any worker in the current Spotfire cluster, e.g.:
Service Type User or Computer HTTP my-worker.test.com HTTP my-worker2.test.com
- Make sure to run the Node Manager service as the service account that has SPNs registered.
- Enable delegation for each account (machine or user) that runs a worker (Node Manger) - "Trust this user for delegation to specified services only", "Use any authentication protocol", and add the HTTP service of any Spotfire Servers in the cluster, along with services for external data source (MS SQL Server in our case), e.g.:
Service Type User or Computer Port HTTP my-tss1.test.com HTTP my-tss2.test.com MSSQLSvc my-mssql.test.com 1433 MSSQLSvc my-mssql.test.com