How To Check Kerberos Authentication Is Enabled In Windows 2012
Setting-up Kerberos Authentication¶
Several modules of the Denodo Platform back up Kerberos hallmark:
-
Virtual DataPort
-
Data Catalog
-
Diagnostic and Monitoring Tool
-
Scheduler and its administration tool
Before enabling Kerberos authentication on the Denodo Platform, you have to create a service business relationship on the Agile Directory of your system and configure this account appropriately. This page explains how to do information technology.
Configuring the Kerberos Authentication Server (due east.yard. Active Directory)¶
You demand to perform the following tasks on Active Directory (or the Kerberos server your arrangement uses). In many organizations, only the administrators of the Active Directory can do this.
-
Create a user in the Kerberos server of type "User".
-
Declare a Service Principal Proper name (SPN) and acquaintance information technology with the user of the Virtual DataPort server.
-
Enable Kerberos delegation for this user account.
-
Generate a keytab file.
-
Optionally, on the computers where the Administration Tool of Virtual DataPort runs, modify the Windows registry to use the native ticket cache so the user does not have to enter her credentials when opening the administration tool.
Later this, enable Kerberos hallmark on the Denodo servers.
Consider this:
-
Create one account for each installation of the Denodo Platform: one account for the Denodo server for development, one for testing, etc.
-
Nosotros recommend all the components of an installation of the Denodo Platform to share the same account to make the configuration easier. That is, share the aforementioned keytab file and the same Service Principal Name (SPN).
-
If a Denodo installation is part of a cluster of Denodo servers and their client applications volition connect to them through a load balancer, utilize the aforementioned business relationship for all the installations of this cluster.
Creating a User in the Agile Directory¶
Create a service account in Active Directory. This service account has to run across these requirements:
-
Create a User account, not a Automobile account nor a Computer business relationship.
-
Articulate the option User must change password at next logon.
-
Nosotros recommend selecting Password never expires.
To do this in Active Directory, follow these steps:
-
Launch the tool Agile Directory Users and Computers (in the carte du jour Programs > Authoritative Tools).
-
Right-click the Users node and click New > User (do not select Car nor Computer).
-
Enter
denodo_server_productionin the Logon proper name field. You tin can enter a different proper noun; the balance of the examples use "denodo_server_production". -
Click Adjacent and enter a password.
-
Locate
denodo_server_productionin the Users tree, in the left side pane and double-click it. -
Click the tab Account of "denodo_server_production" and in the console Business relationship options, practice this:
-
Nosotros recommend selecting Password never expires. Otherwise, y'all volition have to reconfigure and restart the Virtual DataPort server every time the countersign expires.
-
Regarding encryption mechanisms, we recommend clearing Employ Kerberos DES encryption types for this account because is considered insecure.
-
We recommend immigration Business relationship is sensitive and cannot be delegated. Otherwise, y'all volition non be able to use Kerberos with constrained delegation, to laissez passer-through the customer credentials to underlying databases.
-
Agile Directory User Configuration (Account tab)¶
Declaring a Service Primary Name (SPN)¶
A Service Chief Name (SPN) is a unique identifier for a service running on a server. SPNs are used by Kerberos hallmark to associate a service instance with a service logon account.
To define the SPN for Denodo, follow these steps:
Step #1
Open up a control prompt as an ambassador, either from the host where the Denodo server is going to run or from the "Windows Domain Controller".
Stride #2
With the utility setspn , declare the SPN and associate information technology with the user account created in the previous step ("denodo_server_production").
Syntax of the setspn utility¶
setspn -U -Due south HTTP/<Fully Qualified Domain Proper noun of the Denodo server> <REALM>\<server account> For example,
setspn -U -S HTTP/denodo-dv-prod.contoso.com CONTOSO.COM\denodo_server_production The output should be like:
Checking domain DC = contoso , DC = com Registering ServicePrincipalNames for CN = Denodo Product Server , CN = Users , DC = contoso , DC = com HTTP / denodo - dv - prod . contoso . com Updated object If you are doing this for a Denodo server that volition exist role of a cluster of Denodo servers and the client applications volition connect to it through a load balancer, use the host proper name defined in the load balancer, non the bodily host name of the Denodo server.
Stride #three
Verify that the user account only has one SPN. To practise this, execute setspn -L <user business relationship> . For instance,
setspn -L CONTOSO.COM\denodo_server_production The output should exist like:
Registered ServicePrincipalNames for CN = denodo_server_production , CN = Users , DC = contoso , DC = com : HTTP / denodo - dv - prod . contoso . com or:
Registered ServicePrincipalNames for CN = denodo_server_production , CN = Users , DC = contoso , DC = com : HTTP / denodo - dv - prod . contoso . com HTTP / denodo - dv - prod Consider the following rules regarding SPNs:
-
In step #2, if
setspn -U -south ...returns an mistake like "Duplicate SPN plant, aborting operation!", it means this SPN is already registered, either on this business relationship or another one. The SPN you lot utilize for Kerberos authentication of the Denodo servers cannot exist associated with more than 1 user account. If information technology is, this authentication will not work. -
The SPN has to comply with the following rules:
-
The host name (in this example "host1.subnet1.contoso.com") has to be the Fully Qualified Domain Proper name (FQDN) of the host where the Virtual DataPort server runs or in case of a cluster of Denodo servers, the FQDN divers in the load balancer for this cluster.
-
The "service class" of the SPN has to be
HTTP, except for the Scheduler server (it could exist whatsoever string, for instance,SCHED).When spider web browsers asking a Kerberos ticket, they do it for the service "HTTP/<host proper name of the URL you are accessing>" (the browser forms the SPN with "HTTP" fifty-fifty if you use the protocol "https"). The SPN of this ticket has to friction match the SPN that the Denodo servers volition use; otherwise the authentication will fail.
If the SPN does not run across these rules, the Kerberos authentication will fail for ODBC clients, web services, the Information Catalog, the Diagnostic and Monitoring Tool, and the Scheduler administration tool. The Denodo JDBC driver and the administration tool will be able to connect.
-
-
You tin add together as many SPNs as you want, only the one used to generate the key tab must run across the previous rules, otherwise, the Kerberos authentication will not work on the web tools.
-
SPNs are case insensitive when used by Microsoft Windows-based computers. All the same, Linux/Unix is case-sensitive and requires the proper case to role properly. So, when you create the SPN and configure the Virtual DataPort server, always enter the SPNs with the proper case. That is, the host name in lower case (east.g. denodo-prod.subnet1.contoso.com) and the domain proper name in upper case (e.g. CONTOSO.COM).
-
If your arrangement uses Microsoft Agile Directory 2003 or earlier, you lot cannot utilize the -S switch in setspn because it is non available for that version. In that case, supplant -South with -a but make certain that the same SPN is not associated to 2 user accounts.
See the documentation of setspn .
See what a Fully Qualified Domain Name is at https://en.wikipedia.org/wiki/Fully_qualified_domain_name.
Enable Kerberos Delegation for this User Business relationship¶
Yous demand to practice this step if:
-
You program on enabling Kerberos authentication on any of the following components of Denodo: Data Itemize, Scheduler or Web Panel.
-
Or you plan on creating JDBC data sources that use the choice "pass-through session credentials" and Kerberos authentication.
If you are not going to do any of these things, bound to the side by side section. Yous tin can practise these changes in the future.
Later on running setspn and ktpass , two things change in the configuration of the user business relationship in Agile Directory:
-
In the Account tab, the field User logon name changes to the Service Main Name (before, it was simply the name user account).
-
In that location is a new tab: Delegation.
Follow these steps:
-
Open the new user business relationship and become to the tab Delegation.
-
Select 1 of these options:
-
Trust this user for delegation to whatever service (known as "open up delegation"). With this option, Agile Directory volition let Virtual DataPort to delegate to any service (database, spider web service…) the Kerberos credential that the user used to connect to Virtual DataPort. In add-on, it volition allow the Information Catalog and Scheduler to connect to Virtual DataPort using Kerberos authentication.
-
Trust this user for delegation to specified services but (known as "constrained delegation"). If y'all select this, you also have to do this:
-
Select Use any authentication protocol. Otherwise, the pass-through session credentials of Kerberos will not piece of work.
-
In the listing Services to which this account can present delegated credentials, add the post-obit:
-
The SPN (Service Principal Name) of this same user (east.g.
HTTP/denodo-dv-prod.contoso.com@CONTOSO.COM). That fashion, if y'all enable Kerberos authentication on the Data Itemize or Scheduler, these components can delegate to Virtual DataPort the Kerberos credential of the user. -
The SPNs (Service Principal Names) of the databases and web services to which you want to allow Denodo to delegate the Kerberos credentials that the user used to connect to Virtual DataPort.
With the option Trust this user for delegation to specified services but, Active Directory will allow Virtual DataPort - and whatever other Denodo components that utilise the same SPN - to delegate the Kerberos credentials of the users but to the services on this list.
-
-
-
Of import
If you select Trust this user for delegation to specified services only, you are enabling "constrained delegation". That is, the queries sent to Virtual DataPort volition fail if they involve a JDBC data source with the hallmark pick "pass-through session credentials" and the driver does non support Kerberos hallmark with constrained delegation. Read the section Connecting to a JDBC Source with Kerberos Authentication of the Administration Guide to check if in your scenario, you lot tin enable this option.
Active Directory User Configuration (Delegation tab)¶
Generating a Keytab File¶
Later on defining the SPN, generate a keytab file. A keytab file contains pairs of Kerberos principals and encrypted keys derived from the password of a user business relationship. The Denodo components (Virtual DataPort, Scheduler…) will use this keytab to authenticate themselves with Active Directory. Once they are authenticated, they tin cosign other users.
From the command line of the Windows Domain Controller, execute this (merely domain administrators tin run it):
Syntax of the ktpass utility¶
ktpass /out denodo.keytab /princ <SPN with FQDN>@<REALM> /mapUser <server Active Directory account> /crypto ALL /pass * /ptype KRB5_NT_PRINCIPAL For example:
Example of generating a keytab file¶
ktpass /out denodo_server_production.keytab /princ HTTP/denodo-dv-prod.contoso.com@CONTOSO.COM /mapuser denodo_server_production /laissez passer * /crypto ALL /ptype KRB5_NT_PRINCIPAL You will have to enter the password of the user business relationship "denodo_server_production".
Important
Make sure the password entered is correct and the case of the main is the correct 1. ktpass does not validate this. Information technology merely generates the keytab based on the primary and the password you enter.
Yous should come across something similar:
Successfully mapped HTTP / denodo - dv - prod . contoso . com to denodo_server_production . Type the countersign for HTTP / denodo - dv - prod . contoso . com : Blazon the countersign again to confirm : Password succesfully set ! Key created . Key created . Key created . Key created . Key created . Output keytab to denodo . keytab : Keytab version : 0 x502 keysize lxx HTTP / denodo - dv - prod . contoso . com @ CONTOSO . COM ptype one ( KRB5_NT_PRINCIPAL ) vno 4 etype 0 x1 ( DES - CBC - CRC ) keylength 8 ( 0 xfbeaece643fef213 ) keysize lxx HTTP / denodo - dv - prod . contoso . com @ CONTOSO . COM ptype ane ( KRB5_NT_PRINCIPAL ) vno iv etype 0 x3 ( DES - CBC - MD5 ) keylength viii ( 0 xfbeaece643fef213 ) keysize 78 HTTP / denodo - dv - prod . contoso . com @ CONTOSO . COM ptype 1 ( KRB5_NT_PRINCIPAL ) vno 4 etype 0 x17 ( RC4 - HMAC ) keylength 16 ( 0 x25e19011618301a73e20fda538e18a91 ) keysize 94 HTTP / denodo - dv - prod . contoso . com @ CONTOSO . COM ptype 1 ( KRB5_NT_PRINCIPAL ) vno 4 etype 0 x12 ( AES256 - SHA1 ) keylength 32 ( 0 x0370175225b496a88a120973d70e28bb9e94f113a2b827926ad52d093471f35f ) keysize 78 HTTP / denodo - dv - prod . contoso . com @ CONTOSO . COM ptype 1 ( KRB5_NT_PRINCIPAL ) vno 4 etype 0 x11 ( AES128 - SHA1 ) keylength 16 ( 0 x60c3d8c6f43727deeaccc480f8101c41 ) Encounter more most "ktpass" in its documentation.
Distribute the Keytab and Enable Kerberos Authentication on Denodo Servers¶
Re-create the file "denodo_server_production.keytab" to the figurer where y'all installed the Denodo Platform. If this server is office of a cluster of Denodo servers, copy it to all these computers.
After this, enable Kerberos authentication on the modules required. Come across:
-
For Virtual DataPort, come across the folio Kerberos Authentication.
-
For Scheduler, come across the folio Kerberos Configuration.
-
For Data Catalog, run across the folio Kerberos Configuration.
Kerberos authentication on the Diagnostic & Monitoring Tool is enabled automatically when you enable it on Virtual DataPort.
Deal with the keytab with the aforementioned precautions you use when dealing with passwords. That is, do not store them in a file share, when copying to a Denodo installation, change the privileges of the file and then it can only be accessed by the user account that launches the Denodo components, etc.
Modifying the Windows Registry to Use the Native Ticket Cache¶
The Virtual DataPort administration tool and the Denodo JDBC commuter provide "Single Sign-on" (SSO), which means that the users practice not need to enter their countersign to log in.
If the administration tool runs on Windows with the Denodo update 20190312 or earlier, and you want to use this feature, y'all have to alter the Windows registry of the host where the tool runs. That way, the tool will exist able to obtain the Kerberos ticket that the system acquired when you logged in to the organisation. The reason for having to modify the registry to use SSO is that Microsoft added a new characteristic in which they no longer consign the session keys for Ticket-Granting Tickets (TGTs). Every bit a event, the native TGT obtained on Windows has an "empty" session key and null EType. If the administration tool has the update 20190903 or newer, you exercise non demand to exercise this.
You do not have to do anything to use single sign-on on Linux or to connect to the Denodo server using the ODBC driver.
Leap to the adjacent task if y'all are not going to use "unmarried sign-on" or the administration tool runs on Linux.
Note that y'all can use Kerberos hallmark without modifying the registry by providing the user and the password when y'all log in. This is what you lot do when selecting Use user/countersign of the Kerberos authentication options of the administration tool.
To modify the registry, follow these steps:
-
Run
regedit.exe -
Look for the key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters -
Right-click the "Parameters" node and click New > DWORD.
-
Enter the proper noun of the entry:
allowtgtsessionkey. -
Double-click the new entry and set the value to
1(0x00000001)
Of import
You accept to do this in all these hosts:
-
All the hosts where Virtual DataPort administration tools run and whose users desire to utilise Kerberos authentication.
-
All the hosts where JDBC clients run and desire to apply Kerberos hallmark.
You have to exercise this when the client runs on Windows because, as explained in the Troubleshooting page for Kerberos authentication of the Coffee Runtime Environment, Windows does non give access to the session cardinal of a Ticket-Granting Ticket (TGT) past defaults. This change in the registry will brand the session key for TGT accessible, and then Java can apply it to acquire additional service tickets.
Fifty-fifty if y'all modify the registry, if the user that starts the administration tool belongs to the group "local ambassador" of that computer, the tool volition not be able to remember the Kerberos ticket from the organisation. This will make the unmarried sign-on to neglect. If that is the instance, employ the options Use user/password or Use ticket cache of the Kerberos hallmark options of the assistants tool.
The data provided in this section as well applies to the Denodo JDBC commuter.
Source: https://community.denodo.com/docs/html/browse/7.0/platform/installation/postinstallation_tasks/postinstallation_tasks_in_virtual_dataport/setting-up_kerberos_authentication
Posted by: curtisaften1971.blogspot.com
0 Response to "How To Check Kerberos Authentication Is Enabled In Windows 2012"
Post a Comment