Setting Up SSPI Kerberos SSO
TDV and Studio can use Security Support Provider Interface (SSPI) on Windows for Kerberos Single Sign-On (SSO) for accounts that have a service principal name (SPN).
Kerberos SSO setup assumes the customer has used the Windows Services window to create a domain name service (DNS) account under Windows for the TIBCO Data Virtualization Server. If you have no local DNS account for the TDV server, you need to set one up (for example, SUPPORT <domain> + <user> + <password>).
ODBC, JDBC, Studio, published Web services, and OData support SSPI-based Kerberos authentication.
Note: Data sources support only JGSS based Negotiate and Kerberos authentication. If you introspect a data source set up with SSPI Kerberos authentication you get a 401 Authentication Error message.
To prepare TDV Server and Studio for SSPI Kerberos SSO, follow these procedures:
Setting up the TDV Service for SSPI Kerberos SSO
You need to configure services, import groups and assign privileges to set up the server side for SSPI Kerberos SSO.
Note: SSPI Kerberos Windows clients cannot authenticate the connection from TDV to the underlying data source. SSPI Kerberos Windows clients can, however, authenticate the connection to TDV.
To set up the TDV service for SSPI Kerberos SSO
1. Open the Services window in your Windows environment.
For example, in Windows 7 select Start > Control Panel > Administrative Tools > Services.
2. Scroll to the TDV instance you are setting up for Kerberos SSO
3. Right-click the instance and select Properties from the context menu.
You need to configure SSPI Kerberos in this Properties window.
4. On the Log On tab, select the This account radio button, type the account name, and set up a password.
5. In the Studio menu bar, select Administration > Launch Manager (Web).
6. Log into the Web Manager and go to the Domain Manager page to create an LDAP domain.
7. Click Domain > Domain Name.
Ordinarily you would select the Active Directory radio button for the server URL.
8. Enter an LDAP name and password.
9. Click the Add External Group button to import the group containing TDV.
Add External Group pulls in all groups, for which you then set appropriate privileges.
Configuring TDV Server for SSPI Kerberos SSO
The TDV Server supports Kerberos SSO authentication for the convenience of users who have already authenticated their identity to a Kerberos domain controller.
On the server side, you need to configure TDV for SSPI Kerberos SSO.
To configure the TDV parameters for Kerberos SSO authentication
1. Log into Studio as the admin user.
2. Select Administration > Configuration from the Studio menu bar.
3. In the tree pane, navigate to the Server > Configuration > Security > Authentication folder.
4. Make the following change within that folder.
Parameter | Action and Description |
Windows Domain Mapping | Enter a key-value pair. • The key is the reported Windows domain of an authenticated user. Often the Windows domain key and the LDAP name value are the same. Keys and values are case-sensitive. |
5. Navigate to the Kerberos subfolder.
6. Make the following changes within that folder.
Parameter | Action and Description |
Allow Kerberos Authentication | Change this value to True. A warning helps you avoid inadvertently changing this without implementing Kerberos first. |
Native | Make sure this is set to True for SSPI Kerberos. |
7. Click OK.
8. Restart the Server.
Understanding Studio Kerberos Properties Files (SSPI)
Each Studio client that is to be configured for use with Kerberos SSO must have a local copy of the krb5.properties file located in the <TDV_install_dir>/conf/studio directory. When Studio is starting up, the presence of this file triggers display of an SSO check box on the Studio login window.
Note: If Studio does not detect this file, or if the SPN value is set to a different TDV node, the Studio login uses Basic authentication, which requires the user to enter a valid username, password, and domain for that server instance.
The Studio krb5.properties Service Principal Name (SPN) is derived from the TDV SPN. The TDV Server uses the Required Principal Name configuration parameter to authenticate the TDV service to Kerberos.
All Studio clients that connect to that TDV Server instance must use an SPN derived from the TDV instance’s SPN. For example, if the Required Principal Name is HTTP/krb5-win.support.net@SUPPORT.NET, the derived SPN is HTTP@krb5-win.support.net. If a user of a Studio instance wants to use Kerberos SSO authentication to connect with a different TDV Server instance, the krb5.properties file SPN value must be changed to use that TDV instance’s SPN name.
For more information about the krb5.properties file, see the Krb5LoginModule Java documentation.
Preparing the Studio Kerberos Properties File for SSPI SSO
On each Studio client that is to be configured for use with SSPI single sign-on, you need to set up the krb5.properties file.
To set up the krb5.properties file for SSPI single sign-on
1. In <TDV_install_dir>\ conf\studio, make a copy of krb5_sample.properties and rename it krb5.properties.
2. Open an editor such as Wordpad to edit krb5.properties.
3. Make sure Native is set to true for SSPI:
Native = true
4. Uncomment the lines that apply to SSPI, and fill in the values appropriate to the current TDV instance:
####################################
# SSPI #
####################################
##Service Principal Name or Service account
spn=HTTP/FullyQualified_HostName@Realm
spn=[domain name]\\[account name]
spn=[account name]@[domain name]
5. Restart Studio.