Providing a Krb5 File for Kerberos Authentication

To use Kerberos authentication, you need a krb5 file (i.e. a Kerberos configuration file) when any of these conditions are met:

  • Any of the following servers/tools runs on Windows and the host does not belong to a Windows domain, or runs on Linux.

    • Virtual DataPort Server
    • Scheduler Server
    • Scheduler Web Administration Tool
    • Data Catalog
    • Web Panel Administration Tool
  • The Kerberos server (e.g. Microsoft Active Directory) does not return “forwardable” tickets by default but it can return them.

If any of these conditions are met, check if there is a krb5 file in the default path of the operating system (see table Default location of the krb5 file depending on the operating system).

Default location of the krb5 file depending on the operating system
Operating System Default Path for the krb5 file
Windows

<Windows directory>\krb5.ini (the system directory usually is C:\Windows).

Note that in Windows, the name of the file is krb5.ini and not krb5.conf.

Linux /etc/krb5.conf
Solaris /etc/krb5/krb5.conf

If the file exists, make sure it has the property forwardable = true in the [libdefaults] section of the file.

If the file does not exist, create it in the default path. The figure Sample krb5 file is an example of a krb5 file.

Sample krb5 file
[libdefaults]
    default_realm = CONTOSO.COM
    forwardable = true

[realms]
CONTOSO.COM = {
    kdc = dc-01.contoso.com
    default_domain = CONTOSO.COM
}

[domain_realm]
    .contoso.com = CONTOSO.COM

With the property forwardable = true, the system will request “forwardable” tickets to the Kerberos server. These tickets can be used by the other applications (in this case, the Virtual DataPort server) to request service tickets on behalf of the user. These service tickets will be used to perform Kerberos requests to other services (e.g. databases) on behalf of the Virtual DataPort client (i.e. the Administration Tool, JDBC clients and ODBC clients).

Even if the system requests a forwardable ticket, the Active Directory may be configured to not return forwardable tickets. If this is the case, we are in a scenario called “constrained delegation”.

When Virtual DataPort runs on Windows and the host belongs to Windows domain, you do not need to define the krb5 file.