Kerberos configuration and troubleshooting

Applies to: Denodo 7.0 , Denodo 6.0 , Denodo 5.5
Last modified on: 18 Jul 2019
Tags: Installation Administration Kerberos Connectivity Security

Download document

Goal

The aim of this document is to provide guidance and advice on how to configure Kerberos in the Denodo Platform and how to solve the most common problems when configuring Kerberos.

Kerberos Configuration Guide

Denodo Virtual DataPort (VDP) allows to use Kerberos authentication not only for accessing the underlying data sources but also for connecting to the VDP Server through Kerberos from any client.

To connect to data sources using Kerberos authentication the configuration steps will be different depending on the data source type:

To configure Kerberos for the VDP Server, the section “Setting-up Kerberos Authentication” of the Denodo Platform Installation Guide includes the configuration process of a Kerberos server (Active Directory) before enabling Kerberos in VDP. Once the Kerberos server is configured, the configuration steps for configuring Kerberos in a VDP Server are included in the section “Kerberos authentication” of the Virtual DataPort Administration Guide. Additional steps may be needed to connect to the VDP server depending on the client used to connect:

Kerberos Debug Mode

Kerberos Debug Mode in Northbound connections

When configuring Kerberos within your environment it is strongly recommended to enable Kerberos Debug Mode and use the tools listed in the section “Useful tools to debug issues with Active Directory or other LDAP servers” in case that you face any issue. For enabling the Kerberos Debug Mode in the VDP Administration Tool and in the VDP Server, just follow these steps:

  1. Click "Kerberos Configuration" on the menu "Administration > Server Configuration", select "Activate Kerberos debug mode" and click "Ok".
  2. Click "Authentication" on the menu "Tools > Admin tool preferences", select "Activate Kerberos debug mode" and click "Ok".
  3. Stop the VDP server and the administration tool.
  4. From a command line, launch the VDP server:
    > cd <DENODO_HOME>/bin
    > ./vqlserver_startup.sh > server_kerberos_logging.log 2>&1
  5. From a different command line, launch the VDP administration tool:
    > cd <DENODO_HOME>/bin
    > ./vdpadmin.sh

Having the Kerberos Debug Mode enabled, it is necessary to launch the Server and the Administration Tool from the command line because the "Kerberos debug mode" of the Java Runtime Environment writes messages related to Kerberos in the standard output, not in the log files.

In Denodo Platform 7.0 you need to redirect the console output because in this version the console is closed after the server is started, for instance:
        vqlserver_startup.bat > server_kerberos_logging.log 2>&1 

Kerberos Debug Mode in Southbound connections

For those cases where it is only needed to debug the southbound connections, the Kerberos log debugging mode can be enabled by following these steps:

  1. Add -Dsun.security.krb5.debug=true to the JVM options of the VDP server
  2. Start the Virtual DataPort server using the command line script:

> cd <DENODO_HOME>

> ./vqlserver_startup.bat/sh > server_kerberos_logging.log 2>&1

Kerberos Debug Mode Output

The output of the Kerberos debugging provides a lot of information regarding the authentication process, it is recommended to enable this mode when configuring Kerberos. Hence, if the authentication process does not work as expected the debugging logs can be reviewed in order to gather information about the issue.

Some useful lines that can be searched for in the log are the following:

  • Commit Succeeded: This means that VDP Server has been authenticated successfully in the AD, so it is likely that the problem faced will be related to the client configuration.
  • Found unsupported keytype (18) for <Kerberos Server principal>: This means that Java Cryptography Extension (JCE) is not installed in the VDP Server.
    Ignore this error if in the Active Directory, the user account created for the Virtual DataPort server has the AES-256 encryption disabled.
    If AES-256 encryption is enabled, we recommend disabling it. If you want to use AES-256, install the JCE in the VDP server
    and all its clients.
    You will not see this message if the Denodo server runs with
    the latest update of Java 8 because it already includes the JCE (Denodo 7.0 ships with the latest update of Java 8).

Kerberos Most Common Issues

Kerberos Northbound Most Common Issues

  • Server Principal is not correct:
  • Error: Error authenticating client with kerberos: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
  • Sometimes the principal is set looking like a http url: HTTP://host1.subnet1.contoso.com@CONTOSO.COM, but remember that the prefix is “HTTP/” without the colon and the extra slash: HTTP/host1.subnet1.contoso.com@CONTOSO.COM.
  • LDAP Data source URI is not correct:
  • Error: LDAP: error code 32 - 0000208D
  • Usually the URI contains the node of the LDAP where the users should be searched, for instance ldap://ad.denodo.com:389/DC=contoso.com,DC=com, but the suffix DC=contoso.com,DC=com should be instead included in the User base field of the Kerberos configuration, so a correct LDAP Server URI has to be of the form ldap://ad.denodo.com:389/
  • The User base configured, for instance DC=contoso.com,DC=com”, does not contain the username used in the authentication. Note that this node of the Active Directory represents the scope where the users are searched in.
  • Kerberos krb5 configuration file is included though it is not required, this file is needed only under those conditions:
  • VDP Server runs on Windows and the host does not belong to a Windows domain.
  • VDP Server runs on Linux.
  • Kerberos Server does not return “forwardable” tickets by default.
  • Role names in VDP does not match LDAP roles:
  • VDP is configured for using case insensitive identifiers by default (identifiers charset is Restricted), with this configuration the comparison of roles is case insensitive and when the roles are imported from the LDAP the names are converted to lowercase.
  • On the other hand, when the Unicode option is selected for identifiers charset, the comparison will be case sensitive so the role names in Denodo have to match exactly the name of the groups in AD.
  • Attribute with user name in the Kerberos configuration does not contain the domain name, but Kerberos authentication uses the name with the domain appended:
  • For instance the LDAP attribute sAMAccountName returns user instead of user@CONTOSO.COM. To solve this, a different LDAP attribute which includes the domain appended to the username can be used or check the option “Avoid domain name for authorization” in the Kerberos server configuration wizard.
  • The VDP Admin Tool has configured “Use user/password” Kerberos authentication and the file VDBAdminConfiguration.properties includes the property vdbDataSource.vdpAdminDataSource.principal.
  • Error: Client not found in Kerberos database (6)
  • This property is only required when using “Use ticket cache” and “Use keytab” options so remove the property if it appears in the configuration file.
  • VDP Server and/or clients do not join the Kerberos realm but the JVM properties java.security.krb5.realm and java.security.krb5.kdc are not included nor there is a krb5 file.
  • These properties need to be included both in server and clients JVM or in the krb5 file.
  • The Service Principal Name should be used instead of the user name in the Server principal field of the Kerberos configuration.
  • Do not forget to regenerate the keytab for this user account.
  • If a keytab file is generated for a user account instead of the SPN, the same user cannot be used for authenticating with the VDP Admin Tool with the option “Use user/password”:
  • Error: Pre-authentication information was invalid (24)
  • Configure a different user account for the VDP Admin Tool.
  • The krb5.conf file is configured for using UDP
  • Error: java.net.SocketTimeoutException: Receive timed out
  • Sometimes the Kerberos tickets are larger than the maximum packet size sent over UDP so change the configuration of the file in order to use TCP
  • The krb5 file does not include the entry "default_domain = CONTOSO.COM" in the realms section.
  • The user account that authenticates in the VDP Admin Tool uses a different encryption algorithm that is configured in the keytab:
  • Error: Error authenticating user: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
  • In case that the VDP Server is placed in a UNIX environment, the same configuration should be applied to the account configuration of the Active Directory for the user configured in the Server principal field of Kerberos.
  • Using HTTP SPNEGO, if the Kerberos token sent from the browser is too large it can be rejected by Tomcat’s HTTP connector, remember to do the same for the HTTPS connector if you are using HTTPS:
  • Error: HTTP 400 Bad Request
  • Change the connector configuration from:
    <Connector port="${com.denodo.tomcat.http.port}"
                  maxThreads="150" …. />

    to:
    <Connector port="${com.denodo.tomcat.http.port}" maxHttpHeaderSize="65536"
                  maxThreads="150" …
  • Using HTTP SPNEGO, the http requests from the browser must contain the Fully Qualified Domain Name:
  • In order to authenticate into VDP server, HTTP/<FQDN> must be the Service Principal Name defined in VDP server. The beginning of the requested URLs must follow the pattern http://www.<FQDN> or http://<FQDN> so the browser requests a Kerberos ticket for HTTP/<FQDN>.
  • In ODBC client connections, Active Directory is blocking VDP from utilizing the account provided.
  • Error: com.denodo.vdb.vdbinterface.server.odbc.ODBCBackend [] - Error: authentication error: No valid Kerberos authentication for user.
  • To resolve this, it is needed to adjust the value of userWorkstations attribute in Active Directory in order to enable VDP to access this account.
  • In the VDP Administration Tool, the option “Use Single Sign-On with system ticket cache” was selected but the Windows Registry was not modified
  • Error: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
  • Modify the Windows Registry in order to make the session key for TGT accessible.
  • In Denodo Platform versions up to 6.0, the Java Cryptography Extension (JCE) is required for AES 256 encryption but the extension is not installed:
  • Error: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
  • Install the JCE as documented in the section "Installing the Java Cryptography Extension (JCE)" of the Denodo Platform Installation Guide

Kerberos Southbound Most Common Issues

  • With some JDBC data sources, the Denodo VDP server is on a different domain than the Kerberos server but the files core-site.xml, hdfs-site.xml and mapred-site.xml are not included in the classpath:
  • Copy the files to <DENODO_HOME>/conf or <DENODO_HOME>/conf/vdp

Finally, remember to restart the VDP Server after applying any configuration change.

References

Questions

Ask a question
You must sign in to ask a question. If you do not have an account, you can register here

Featured content

DENODO TRAINING

Ready for more? Great! We offer a comprehensive set of training courses, taught by our technical instructors in small, private groups for getting a full, in-depth guided training in the usage of the Denodo Platform. Check out our training courses.

Training