Configuring Kerberos Authentication for Windows

You can configure your Kerberos setup so that you use the MIT Kerberos Ticket Manager to get the Ticket Granting Ticket (TGT), or configure the setup so that you can use the connector to get the ticket directly from the Key Distribution Center (KDC). Also, if a client application obtains a Subject with a TGT, it is possible to use that Subject to authenticate the connection.

Downloading and Installing MIT Kerberos for Windows

To download and install MIT Kerberos for Windows 4.0.1:

  1. Download the appropriate Kerberos installer:
    Note:

    The 64-bit installer includes both 32-bit and 64-bit libraries. The 32-bit installer includes 32-bit libraries only.

  2. To run the installer, double-click the .msi file that you downloaded.
  3. Follow the instructions in the installer to complete the installation process.
  4. When the installation completes, click Finish.

Using the MIT Kerberos Ticket Manager to Get Tickets

Setting the KRB5CCNAME Environment Variable

You must set the KRB5CCNAME environment variable to your credential cache file.

To set the KRB5CCNAME environment variable:

  1. Click Start Windows Start button, then right-click Computer, and then click Properties.
  2. Click Advanced System Settings.
  3. In the System Properties dialog box, on the Advanced tab, click Environment Variables.
  4. In the Environment Variables dialog box, under the System Variables list, click New.
  5. In the New System Variable dialog box, in the Variable Name field, type KRB5CCNAME.
  6. In the Variable Value field, type the path for your credential cache file. For example, type C:\KerberosTickets.txt.
  7. Click OK to save the new variable.
  8. Make sure that the variable appears in the System Variables list.
  9. Click OK to close the Environment Variables dialog box, and then click OK to close the System Properties dialog box.
  10. Restart your machine.

Getting a Kerberos Ticket

To get a Kerberos ticket:

  1. Click Start Windows Start button, then click All Programs, and then click the Kerberos for Windows (64-bit) or Kerberos for Windows (32-bit) program group.
  2. Click MIT Kerberos Ticket Manager.
  3. In the MIT Kerberos Ticket Manager, click Get Ticket.
  4. In the Get Ticket dialog box, type your principal name and password, and then click OK.

If the authentication succeeds, then your ticket information appears in the MIT Kerberos Ticket Manager.

Authenticating to the Hive Server

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To authenticate to the Hive server:

  • Use a connection URL that has the following properties defined:
  • AuthMech
  • KrbHostFQDN
  • KrbRealm
  • KrbServiceName

For detailed information about these properties, see Connector Configuration OptionsAuthentication Driver Configuration Options on page 1.

Using the Connector to Get Tickets

Deleting the KRB5CCNAME Environment Variable

To enable the connector to get Ticket Granting Tickets (TGTs) directly, make sure that the KRB5CCNAME environment variable has not been set.

To delete the KRB5CCNAME environment variable:

  1. Click the Start button Windows Start button, then right-click Computer, and then click Properties.
  2. Click Advanced System Settings.
  3. In the System Properties dialog box, click the Advanced tab and then click Environment Variables.
  4. In the Environment Variables dialog box, check if the KRB5CCNAME variable appears in the System variables list. If the variable appears in the list, then select the variable and click Delete.
  5. Click OK to close the Environment Variables dialog box, and then click OK to close the System Properties dialog box.

Setting Up the Kerberos Configuration File

To set up the Kerberos configuration file:

  1. Create a standard krb5.ini file and place it in the C:\Windows directory.
  2. Make sure that the KDC and Admin server specified in the krb5.ini file can be resolved from your terminal. If necessary, modify C:\Windows\System32\drivers\etc\hosts.

Setting Up the JAAS Login Configuration File

To set up the JAAS login configuration file:

  1. Create a JAAS login configuration file that specifies a keytab file and doNotPrompt=true.

    For example:

    Client {

    com.sun.security.auth.module.Krb5LoginModule required

    useKeyTab=true

    keyTab="PathToTheKeyTab"

    principal="simba@SIMBA"

    doNotPrompt=true;

    };

  2. Set the java.security.auth.login.config system property to the location of the JAAS file.

    For example: C:\KerberosLoginConfig.ini.

Note:

JAAS configuration is disabled by default. To enable JAAS configuration, please set the JDBC_ENABLE_JAAS environment variable to 1.

Authenticating to the Hive Server

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To authenticate to the Hive server:

  • Use a connection URL that has the following properties defined:
  • AuthMech
  • KrbHostFQDN
  • KrbRealm
  • KrbServiceName

For detailed information about these properties, see Connector Configuration OptionsAuthentication Driver Configuration Options on page 1.

Using an Existing Subject to Authenticate the Connection

If the client application obtains a Subject with a TGT, then that Subject can be used to authenticate the connection to the server.

To use an existing Subject to authenticate the connection:

  1. Create a PrivilegedAction for establishing the connection to the database.

    For example:

    // Contains logic to be executed as a privileged action

    public class AuthenticateDriverAction

    implements PrivilegedAction<Void>

    {

    // The connection, which is established as a PrivilegedAction

    Connection con;

    // Define a string as the connection URL

    static String ConnectionURL = "jdbc:hive2://192.168.1.1:10000";

    /**

    * Logic executed in this method will have access to the

    * Subject that is used to "doAs". The connector will get

    * the Subject and use it for establishing a connection

    * with the server.

    */

    @Override

    public Void run()

    {

    try

    {

    // Establish a connection using the connection URL

    con = DriverManager.getConnection(ConnectionURL);

    }

    catch (SQLException e)

    {

    // Handle errors that are encountered during

    // interaction with the data store

    e.printStackTrace();

    }

    catch (Exception e)

    {

    // Handle other errors

    e.printStackTrace();

    }

    return null;

    }

    }

  2. Run the PrivilegedAction using the existing Subject, and then use the connection.

    For example:

    // Create the action

    AuthenticateDriverAction authenticateAction = new AuthenticateDriverAction();

    // Establish the connection using the Subject for

    // authentication.

    Subject.doAs(loginConfig.getSubject(), authenticateAction);

    // Use the established connection.

    authenticateAction.con;