Administration Guide > Configuring Kerberos Single Sign-On > Using Kerberos SSO Authentication with Data Sources > About Configuring Kerberos SSO for Data Sources
 
About Configuring Kerberos SSO for Data Sources
When you add a new data source, you can specify Kerberos authentication for the data sources that support it. For further information, see Working with Data Sources in the TDV User Guide.
See the following table to understand pass-through authentication for each authentication protocol.
Authentication
Pass-through login: Enabled
Pass-through login: Disabled
BASIC
Basic login information like the user name and password is passed through from the client to the data source to create a connection.
This setting is not recommended for Kerberos SSO as the client credentials are not passed through to the data source for negotiation of a connection.
The data source adapter configuration settings are used to negotiate shared connections and used again for all users.
KERBEROS
 
NEGOTIATE
If Kerberos tokens are present because they were generated by Kerberos SSO, then they are used to connect to the data source directly.
Alternatively pass-through login information can be used to connect to the data source based on Kerberos authentication.
The login and password of the data source adapter configuration is used to login to the Kerberos KDC and then those credentials are used to connect to the data source.
For data sources that support Kerberos authentication, up to three configuration parameters are important for use of a Kerberos authentication system, when adding a new data source using the New Physical Data Source dialog. Only the parameters that are appropriate for the specific data source need to be specified. For example, for Oracle only two parameters are required.
Parameter
Description
Pass-through Login
Must be Enabled for identification and use of the Kerberos authentication credentials of a client. With pass-through enabled, the client’s Kerberos token is used to negotiate a connection with the data source. If pass-through login is not enabled, data source connection are negotiated with the Studio login and password (if saved) or with the TDV Server authentication status.
When data is requested from a data source for the first time, pass-through login connection negotiation is used. Subsequent requests or executions sent to the same data source by the same user use the existing connection on an exclusive and restricted basis. Connections are not reused if they have been established with a data source configured to use pass-through login with a client-specific username and password. Only the user who created a connection can reuse that connection.
Authentication
Choose the KERBEROS option to use Kerberos authentication credentials with pass-through login to negotiate client connections to data sources. Client submission of the Kerberos credential through JDBC requires the code implementation of two properties from the krb5 login module. Refer to About JDBC Clients and Kerberos SSO.
Choose NEGOTIATE to gain access to WSDL and the XML over HTTP data sources using Kerberos SSO authentication.
Service Principal Name
If you select KERBEROS or NEGOTIATE authentication, you need to provide a Service Principal Name (except in the case of an Oracle data source, which has separate configuration settings that point to the Kerberos Service Principal).
The Service Principal Name (SPN) is a unique identifier that authenticates a service to Kerberos. The SPN for each data source is unique to that service. The SPN has the following format:
HTTP/<FullyQualified_TDV_HostName>@<Realm>