Kerberos Configuration¶
This section explains how to enable Single Sign On (SSO) on the Scheduler administration tool, using Kerberos authentication. With SSO, the users will not have to enter their credentials. They will be validated automatically.
Important
To enable single sign-on (SSO), you have to enable Kerberos in both the Scheduler administration tool and the Scheduler server. This section covers the steps for the Scheduler administration tool.
To enable Kerberos authentication in the Scheduler administration tool, follow these steps:
Enable Kerberos authentication in the Virtual DataPort server with which the Scheduler is going to authenticate its users. To do this, follow the instructions of the section Kerberos Authentication of the Virtual DataPort Administration Guide.
Follow the instructions of the page Setting-up Kerberos Authentication in Scheduler of the Denodo Platform Administration Guide.
Log in as the web administration local user (see section Web Administration Tool Local Authentication) and enter the following information in the form available from this page of the Scheduler Web Administration tool.
Select Use Kerberos.
In the box Server Principal, enter the “Service Principal Name” (SPN) used to create the keytab file. That is, the SPN with the Fully Qualified Domain Name (FQDN) of the server where the Web Administration Tool is running. For example, “HTTP/denodo-prod.subnet1.contoso.com@CONTOSO.COM”.
In the field Keytab file, drag and drop the keytab file over the specified area or click it to open a file explorer to select the file. If a key tab file was previously uploaded, it will be shown and you could use the trash icon to delete it.
Leave the Kerberos configuration file box empty unless the host where this Scheduler administration tool runs does not belong to a Kerberos realm (e.g., a Windows Active Directory domain). If this host does not belong to a Kerberos realm, do one of the following:
a. Drag and drop the
krb5.conf
orkrb5.ini
file with the Kerberos settings over the specified area or click it to open a file explorer to select the file. If a configuration file was previously uploaded, it will be shown and you could use the trash icon to delete it. b. Or follow the steps described in the page Enabling Kerberos Authentication Without Joining a Kerberos Realm.We recommend selecting the check box Activate Kerberos debug mode the first time you set up Kerberos in case you run into any issues. Once Kerberos is working, disable this.
When this option is enabled, check the appendix How to Debug Kerberos in Web Applications of the Installation Guide to learn how to see the debug information.
Restart the Scheduler administration tool to have these changes take effect.
After these changes, when the users go to the Scheduler administration tool, they will not need to provide
their user name and password, because the browser will send the Kerberos credentials of their system. In order
for this to work, they need to access using the full qualified URL (FQDN) configured in step 2. For example,
https://denodo-prod.subnet1.contoso.com:9443/webadmin/denodo-scheduler-admin/
.
The users can provide the URI of the Scheduler server adding the uri
parameter to the URL. If they do it,
the Web Administration Tool will try to authenticate them against that Scheduler server without showing
the authentication page. For example:
https://denodo-prod.subnet1.contoso.com:9443/webadmin/denodo-scheduler-admin/?uri=//localhost:8000#/