USER MANUALS

Kerberos Configuration

This section explains how to enable Single Sign On (SSO) on the Scheduler administration tool, using Kerberos authentication. With SSO, the users will not have to enter their credentials. They will be validated automatically.

Important

To enable single sign-on (SSO), you have to enable Kerberos in both the Scheduler administration tool and the Scheduler server. This section covers the steps for the Scheduler administration tool.

To enable Kerberos authentication in the Scheduler administration tool, follow these steps:

  1. Enable Kerberos authentication in the Virtual DataPort server with which the Scheduler is going to authenticate its users. To do this, follow the instructions of the section Kerberos Authentication of the Virtual DataPort Administration Guide.

  2. Follow the instructions of the post-installation task Setting-up Kerberos Authentication in Scheduler of the Installation Guide.

  3. Set-up Kerberos authentication in the Scheduler server.

  4. Log in as the web administration local user (see section Web Administration Tool Local Authentication) and enter the following information in the form available from this page of the Scheduler Web Administration tool.

Kerberos configuration dialog

Kerberos configuration dialog

  1. Select Use Kerberos.

  2. In the box Server Principal, enter the “Service Principal Name” (SPN) used to create the keytab file. That is, the SPN with the Fully Qualified Domain Name (FQDN) of the server where the Web Administration Tool is running. For example, “HTTP/denodo-prod.subnet1.contoso.com@CONTOSO.COM”.

  3. In the field Keytab file, drag and drop the keytab file over the specified area or click it to open a file explorer to select the file. If a key tab file was previously uploaded, it will be shown and you could use the trash icon to delete it.

  4. Leave the Kerberos configuration file box empty unless the host where this Scheduler administration tool runs does not belong to a Kerberos realm (e.g., a Windows Active Directory domain). If this host does not belong to a Kerberos realm, do one of the following:

    a. Drag and drop the krb5.conf or krb5.ini file with the Kerberos settings over the specified area or click it to open a file explorer to select the file. If a configuration file was previously uploaded, it will be shown and you could use the trash icon to delete it. b. Or follow the steps described in the appendix Enabling Kerberos Authentication Without Joining a Kerberos Realm of the Installation Guide.

  5. We recommend selecting the check box Activate Kerberos debug mode the first time you set up Kerberos in case you run into any issues. Once Kerberos is working, disable this.

    When this option is enabled, check the appendix How to Debug Kerberos in Web Applications of the Installation Guide to learn how to see the debug information.

  1. Restart the Scheduler administration tool to have these changes take effect.

After these changes, when the users go to the Scheduler administration tool, they will not need to provide their user name and password, because the browser will send the Kerberos credentials of their system. In order for this to work, they need to access using the full qualified URL (FQDN) configured in step 2. For example, https://denodo-prod.subnet1.contoso.com:9443/webadmin/denodo-scheduler-admin/.

Authentication dialog with Single Sign-On

Authentication dialog with Single Sign-On

The users can provide the URI of the Scheduler server adding the uri parameter to the URL. If they do it, the Web Administration Tool will try to authenticate them against that Scheduler server without showing the authentication page. For example: https://denodo-prod.subnet1.contoso.com:9443/webadmin/denodo-scheduler-admin/?uri=//localhost:8000#/

Add feedback