Using Kerberos authentication with delegated credentials
Users can authenticate to different data sources using single sign-on login information. The server can delegate the user authentication to the data source, either through Information Services, or through a connector. This is possible only if you use Kerberos single sign-on.
About this task
If you are using a JDBC driver that supports passing the delegated user's Generic Security Standard (GSS) credentials through a connection property, then you can use constrained delegation with Information Services.
To enable constrained delegation for these drivers, add the following connection property to the corresponding Data Source Template.
<connection-property>
<key>spotfire.kerberos.gsscredential.property</key>
<value>connectionPropertyName</value>
</connection-property>
Where
connectionPropertyName
is
driver-specific. (Refer to your driver's documentation for more information.)
Before you begin
For delegation to work, no client user account in the domain can have the setting Account is sensitive and cannot be delegated. By default, this setting is not enabled.
Procedure
- Enabling constrained delegation
This is the second step in the process of setting up Kerberos authentication with delegated credentials for your Spotfire implementation. It allows the Spotfire Server to delegate user credentials to nodes. - Enabling unconstrained delegation on a domain controller in Windows Server 2003 mode (legacy)
This is the second step in the process of setting up Kerberos authentication with delegated credentials for your Spotfire implementation. - Enabling unconstrained delegation for an account on a domain controller in Windows 2000 mixed or native mode (legacy)
This is the second step in the process of setting up Kerberos authentication with delegated credentials for your Spotfire implementation.