Product: TIBCO Spotfire®
Why does the TIBCO Spotfire Server / Spotfire Web Player URL have to be in the Intranet Zone for SSO?
When configuring SSO authentication with TIBCO Spotfire Server and/or TIBCO Spotfire Web Player, it is required to have the accessed URL be part of the 'Intranet Zone' within the Internet Options security settings. Internet zone sites are prevented from using Integrated Windows authentication because these protocols do not typically work through Web proxies, among other reasons. If a site is located in the Internet zone, Internet Explorer does not attempt to use Kerberos authentication. It automatically tries NTLM and it prompts for a username/password. In all versions of Internet Explorer, when accessing a Web site to which you want to use Kerberos authentication, you must verify that the Web site appears as being in the local intranet zone. An icon in the lower right corner of the Internet Explorer window indicates what zone a Web site is in. It displays “Internet” for the Internet zone and “Local Intranet” for the intranet zone. If the Web site appears as being in the Internet zone, you must manually add the site to the local intranet sites list. External: Authentication Uses NTLM instead of Kerberos