Applies to:
Denodo 8.0
,
Denodo 7.0
,
Denodo 6.0
Last modified on: 27 May 2020
Tags:
Administration
External clients
Kerberos
LDAP
ODBC driver
Security
Introduction
This document recreates step-by-step the process of configuring an ODBC northbound connection to Denodo with Kerberos with single-sign-on (SSO) and pass-through session credentials.
The user authentication happens against the Microsoft Active Directory (AD) synchronized with the machine, as the user automatically forwards the session Kerberos ticket to it getting access to the authorized sources with SSO.
This is a pre requirement to configure SSO with pass-through from third-party applications that use the Denodo ODBC driver to connect to Denodo
Steps to configure the connection
Once we have them imported, you must grant at least connection privileges to them.
Troubleshooting
To obtain the log of any error that could occur in the VDP Server, start the server from a console using the command line scripts and errors will be shown in the standard output.
This Oracle troubleshooting page includes a good list of common problems when configuring SSO.
Problem:
No output in the cmd when using the command line startup script
Solution:
If the debug mode for Kerberos is enabled, use Powershell to start the server or the .sh script.
Problem:
Found unsupported keytype (18) for HTTP/test.domain.com@DOMAIN.COM
Solution:
Check if the AES-256 option is enabled/disabled for the user configuration associated with the SPN on the Denodo Server. If enabled, disable it. If this is not possible, install the JCE in the JRE used by the Denodo Server. When the encryption is changed it is recommended to regenerate the .keytab for the user that authenticates the VDP Server.
Problem:
Mechanism level: GSSHeader did not find the right tag
Solution:
When performing a connection to VDP through the ODBC Driver the FQDN of the machine that has the Denodo Server (or the load balancer) running has to be specified. The connection to the VDP server has to be done from a different machine from where the VDP Server is running.
Problem:
Key for the principal HTTP/test.domain.com@DOMAIN.COM not available in <<keytab directory>>
Password from shared state is null
[Krb5LoginModule] authentication failed
Password can not be obtained from sharedstate
Solution:
The SPN has changed, the address in the VDP Server needs to be changed.