Setting Up SSPI Kerberos SSO

Administration Guide > Configuring Kerberos Single Sign-On > Using Kerberos Authentication with TDV > Setting Up SSPI Kerberos SSO

TDV and Studio can use Security Support Provider Interface (SSPI) on Windows for Kerberos Single Sign-On (SSO) for accounts that have a service principal name (SPN).

Kerberos SSO setup assumes the customer has used the Windows Services window to create a domain name service (DNS) account under Windows for the TIBCO Data Virtualization Server. If you have no local DNS account for the TDV server, you need to set one up (for example, SUPPORT <domain> + <user> + <password>).

ODBC, JDBC, Studio, published Web services, and OData support SSPI-based Kerberos authentication.

Note: Data sources support only JGSS based Negotiate and Kerberos authentication. If you introspect a data source set up with SSPI Kerberos authentication, you get a 401 Authentication Error message.

To prepare TDV Server and Studio for SSPI Kerberos SSO, follow these procedures:

• Setting up the TDV Service for SSPI Kerberos SSO

• Configuring TDV Server for SSPI Kerberos SSO

• Preparing the Studio Kerberos Properties File for SSPI SSO

Setting up the TDV Service for SSPI Kerberos SSO

You need to configure services, import groups and assign privileges to set up the server side for SSPI Kerberos SSO.

Note: SSPI Kerberos Windows clients cannot authenticate the connection from TDV to the underlying data source. SSPI Kerberos Windows clients can, however, authenticate the connection to TDV.

Follow these steps to set up the TDV service for SSPI Kerberos SSO:

1. Open the Services window in your Windows environment.

For example in Windows 10, select Start > Settings. Type “services” in the Settings Search bar and click on “View Local Services” to open the Windows Services Manager.

2. Scroll to the TDV instance you are setting up for Kerberos SSO

3. Right-click the instance and select Properties from the context menu.

You need to configure SSPI Kerberos in this Properties window.

4. On the Log On tab, select the "This account" radio button and give the Service account credentials that was used to setup the instance. A Service account is used to access the network resources with service-specific rights and permissions while minimizing the permissions required for individual users using the application server. A Domain administrator will usually create this account.

5. In the Studio menu bar, select Administration > Launch Manager (Web).

6. Log into the Web Manager and go to the Domain Manager page to create an LDAP domain.

7. Click Domain > Domain Name.

Ordinarily you would select the Active Directory radio button for the server URL.

8. Enter an LDAP name and password.

9. Click the Add External Group button to import the group containing TDV.

Add External Group pulls in all groups, for which you then set appropriate privileges. Once the group is created, choose the group, click on Edit Resource Privileges and grant Access Tools and Read All Resources rights.

Configuring TDV Server for SSPI Kerberos SSO

The TDV Server supports Kerberos SSO authentication for the convenience of users who have already authenticated their identity to a Kerberos domain controller.

On the server side, you need to configure TDV for SSPI Kerberos SSO.

Follow these steps to configure the TDV parameters for Kerberos SSO authentication:

1. Log into Studio as the admin user.

2. Select Administration > Configuration from the Studio menu bar.

3. In the tree pane, navigate to the Server > Configuration > Security > Authentication folder.

4. Make the following change within that folder.

Parameter

Action and Description

Windows Domain Mapping

Enter a key-value pair.

• The key is the reported Active Directory domain of an authenticated user.

• The value is the name of the LDAP domain name you set up in the Web Manager.—the domain you set up in Setting up the TDV Service for SSPI Kerberos SSO.

Often the Windows domain key and the LDAP name value are the same. Keys and values are case-sensitive. Provide all the case-sensitive combinations of the key-value pair to avoid any SSO authentication issues.

5. Navigate to the Kerberos subfolder.

6. Make the following changes within that folder.

Parameter	Action and Description
Allow Kerberos Authentication	Change this value to True. A warning helps you avoid inadvertently changing this without implementing Kerberos first.
Native	Make sure this is set to True for SSPI Kerberos.

7. Click OK.

8. Restart the Server.

Preparing the Studio Kerberos Properties File for SSPI SSO

On each Studio client that is to be configured for use with SSPI single sign-on, you need to set up the krb5.properties file.

Follow these steps to set up the krb5.properties file for SSPI single sign-on:

1. In <TDV_install_dir>\ conf\studio, make a copy of krb5_sample.properties and rename it krb5.properties.

2. Open an editor such as Wordpad to edit krb5.properties.

3. Make sure Native is set to true for SSPI:

Native = true

4. Uncomment the lines that apply to SSPI, and fill in the values appropriate to the current TDV instance:

####################################

# SSPI #

####################################

##Service Principal Name or Service account

spn=HTTP/FullyQualified_HostName@Realm

spn=[domain name]\\[account name]

spn=[account name]@[domain name]

5. Restart Studio.