TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Authentication and User Directory<br />
8.3.1 Kerberos<br />
Kerberos is a single sign-on protocol that sends encrypted user information from a<br />
client across the network to the authentication server. Kerberos works in LDAP<br />
environments and is considered to have strong security. If you intend to use <strong>Spotfire</strong> in<br />
an environment where Kerberos is used, this may be a good way of increasing security<br />
for the <strong>Spotfire</strong> system.<br />
Note: In a clustered environment, there are certain considerations that must be taken<br />
into account. For details about these, see the section “Kerberos Authentication” on<br />
page 61.<br />
There are several steps that must be taken to set up Kerberos authentication. The<br />
following sections outline them step by step.<br />
8.3.1.1 Prepare the LDAP <strong>Server</strong><br />
How to set up Kerberos with your LDAP server may differ significantly depending on<br />
what LDAP server you are using. The instructions provided here will work for a<br />
Windows Active Directory. If you are using a different LDAP solution, you may have<br />
to provide different settings to the configuration files provided with the <strong>Spotfire</strong><br />
<strong>Server</strong>.<br />
In order for the <strong>Spotfire</strong> <strong>Server</strong> to authenticate with a Windows Domain using<br />
Kerberos, the Windows Domain must meet the following prerequisites:<br />
• All Domain Controllers must run Windows 2003 <strong>Server</strong> SP1 or later.<br />
• Microsoft Support Tools must be installed.<br />
• All computers that will run Kerberos must belong to the same Windows<br />
Domain.<br />
• All computers in the domain must have synchronized clocks (this should happen<br />
automatically when a computer becomes a member of a domain).<br />
• All <strong>Spotfire</strong> users must have user accounts in the Windows Domain.<br />
Note: If the Windows <strong>Server</strong> is an upgrade of a Windows 2000 server, the user<br />
accounts may be using encryption mechanisms not supported by <strong>Spotfire</strong>. Please refer<br />
to Microsoft documentation to get around this issue.<br />
The following steps must then be performed:<br />
1 Configure LDAP authentication for the <strong>Spotfire</strong> <strong>Server</strong> (see the section “LDAP” on<br />
page 66 for instructions on how to do this). Make sure this is working as intended.<br />
2 Create a Domain user to be the <strong>Spotfire</strong> service account. This should be a normal<br />
domain user account, and should be named something easy to remember. Make sure it<br />
meets the following requirements:<br />
• Do not enter a First Name, Initial or Last name for the user account.<br />
• Use the same information in the Full Name field as in the User Logon Name<br />
field. Make sure there are no spaces in these fields.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 69 (144)