Authentication | Pass-through login: Enabled | Pass-through login: Disabled |
BASIC | Basic login information like the user name and password is passed through from the client to the data source to create a connection. | This setting is not recommended for Kerberos SSO as the client credentials are not passed through to the data source for negotiation of a connection. The data source adapter configuration settings are used to negotiate shared connections and used again for all users. |
KERBEROS NEGOTIATE | If Kerberos tokens are present because they were generated by Kerberos SSO, then they are used to connect to the data source directly. Alternatively pass-through login information can be used to connect to the data source based on Kerberos authentication. | The login and password of the data source adapter configuration is used to login to the Kerberos KDC and then those credentials are used to connect to the data source. |
Parameter | Description |
Pass-through Login | Must be Enabled for identification and use of the Kerberos authentication credentials of a client. With pass-through enabled, the client’s Kerberos token is used to negotiate a connection with the data source. If pass-through login is not enabled, data source connection are negotiated with the Studio login and password (if saved) or with the TDV Server authentication status. When data is requested from a data source for the first time, pass-through login connection negotiation is used. Subsequent requests or executions sent to the same data source by the same user use the existing connection on an exclusive and restricted basis. Connections are not reused if they have been established with a data source configured to use pass-through login with a client-specific username and password. Only the user who created a connection can reuse that connection. |
Authentication | Choose the KERBEROS option to use Kerberos authentication credentials with pass-through login to negotiate client connections to data sources. Client submission of the Kerberos credential through JDBC requires the code implementation of two properties from the krb5 login module. Refer to About JDBC Clients and Kerberos SSO. Choose NEGOTIATE to gain access to WSDL and the XML over HTTP data sources using Kerberos SSO authentication. |
Service Principal Name | If you select KERBEROS or NEGOTIATE authentication, you need to provide a Service Principal Name (except in the case of an Oracle data source, which has separate configuration settings that point to the Kerberos Service Principal). The Service Principal Name (SPN) is a unique identifier that authenticates a service to Kerberos. The SPN for each data source is unique to that service. The SPN has the following format: HTTP/<FullyQualified_TDV_HostName>@<Realm> |