Kerberos Configuration

This section allows you to configure the Scheduler administration tool to use Kerberos to authenticate the Scheduler users with Virtual DataPort by using Single Sign On, which means that the Scheduler administration tool users will not have to provide their credentials.

Important

To configure Kerberos in Scheduler, it is necessary to configure both the Scheduler administration tool and the Scheduler server. This section covers the steps for the Scheduler administration tool (you have to do it in all the clients that want to login using Kerberos.). Section Kerberos settings explains how to configure the Scheduler server.

Before configuring Kerberos in the Scheduler administration tool, you need to configure the Kerberos authentication in the Virtual DataPort server to which the Scheduler is going to authenticate its users. To do that, follow the instructions of the postinstallation task Setting-up Kerberos Authentication in Scheduler of the Installation Guide and then, the instructions of the section Kerberos Authentication of the Virtual DataPort Administration Guide.

Finally, set-up the Kerberos authentication in the Scheduler administration tool and the Scheduler server. Regarding the Scheduler administration tool, in the wizard to do it (see figure below), provide the following details:

Kerberos configuration dialog

Kerberos configuration dialog

  1. Select Use Kerberos.

  2. In the box Server Principal enter the “Service Principal Name” (SPN) used to create the keytab file. That is, the SPN with the Fully Qualified Domain Name (FQDN) of the server where the Active Directory is running. For example, “HTTP/denodo-prod.subnet1.contoso.com@CONTOSO.COM”.

  3. In the box Keytab file enter the path to the keytab file.

  4. Leave the Kerberos configuration file box empty unless the host where this Scheduler administration tool runs does not belong to a Kerberos realm (e.g. a Windows Active Directory domain). If this host does not belong to a Kerberos realm, do one of the following:

    1. Enter the path to the krb5.conf or krb5.ini file with the Kerberos settings.
    2. Or follow the steps described in the appendix Using Kerberos Authentication in Scheduler Without Joining a Kerberos Realm of the Installation Guide.
  5. We recommend selecting the check box Activate Kerberos debug mode the first time you set up Kerberos in case you run into any issues. Once Kerberos has been set up, disable this.

    When this option is enabled, check the appendix How to Debug Kerberos in Web Applications of the Installation Guide to learn how to see the debug information.

Then, restart the Scheduler administration tool to have these changes take effect. The next time you launch the tool (and if everything is correctly configured) you will see a new button in the login screen (Single Sign On Login) to authenticate by using Single Sign On against the chosen Scheduler server. In order to succeed, it is necessary that the URL in the browser points to the FQDN configured in previous steps (for instance, http://host1.subnet1.contoso.com/…).

Single Sign On Login

Single Sign On Login