Providing a Krb5 File for Kerberos Authentication

To use Kerberos authentication, you need a krb5 file (i.e. a Kerberos configuration file) when any of these conditions are met:

  • The Virtual DataPort server runs on Windows and the host does not belong to a Windows domain.
  • Or the Information Self-Service Tool server runs on Windows and the host does not belong to a Windows domain.
  • Or Virtual DataPort runs on Linux.
  • Or the Information Self-Service Tool server runs on Linux.
  • Or the Kerberos server (e.g. Microsoft Active Directory) does not return “forwardable” tickets by default but it can return them.

If any of these conditions are met, check if there is a krb5 file in the default path of the operating system (see table Default location of the krb5 file depending on the operating system).

Default location of the krb5 file depending on the operating system
Operating System Default Path for the krb5 file
Windows

<Windows directory>\krb5.ini (the system directory usually is C:\Windows).

Note that in Windows, the name of the file is krb5.ini and not krb5.conf.

Linux /etc/krb5.conf
Solaris /etc/krb5/krb5.conf

If the file exists, make sure it has the property forwardable = true in the [libdefaults] section of the file.

If the file does not exist, create it in the default path. The figure Sample krb5 file is an example of a krb5 file.

Sample krb5 file
[libdefaults]
    default_realm = CONTOSO.COM
    forwardable = true

[realms]
CONTOSO.COM = {
    kdc = dc-01.contoso.com
    default_domain = CONTOSO.COM
}

[domain_realm]
    .contoso.com = CONTOSO.COM

With the property forwardable = true, the system will request “forwardable” tickets to the Kerberos server. These tickets can be used by the other applications (in this case, the Virtual DataPort server) to request service tickets on behalf of the user. These service tickets will be used to perform Kerberos requests to other services (e.g. databases) on behalf of the Virtual DataPort client (i.e. the Administration Tool, JDBC clients and ODBC clients).

Even if the system requests a forwardable ticket, the Active Directory may be configured to not return forwardable tickets. If this is the case, we are in a scenario called “constrained delegation”.

When Virtual DataPort runs on Windows and the host belongs to Windows domain, you do not need to define the krb5 file.