Configuring Kerberos Authentication for Windows

Active Directory

The Simba Apache Spark ODBC Connector supports Active Directory Kerberos on Windows. There are two prerequisites for using Active Directory Kerberos on Windows:

• MIT Kerberos is not installed on the client Windows machine.
• The MIT Kerberos Hadoop realm has been configured to trust the Active Directory realm so that users in the Active Directory realm can access services in the MIT Kerberos Hadoop realm.

MIT Kerberos

Downloading and Installing MIT Kerberos for Windows 4.0.1

For information about Kerberos and download links for the installer, see the MIT Kerberos website: http://web.mit.edu/kerberos/.

To download and install MIT Kerberos for Windows 4.0.1:

1. Download the appropriate Kerberos installer:
• For a 64-bit machine, use the following download link from the MIT Kerberos website: http://web.mit.edu/kerberos/dist/kfw/4.0/kfw-4.0.1-amd64.msi.
• For a 32-bit machine, use the following download link from the MIT Kerberos website: http://web.mit.edu/kerberos/dist/kfw/4.0/kfw-4.0.1-i386.msi.

Note:

The 64-bit installer includes both 32-bit and 64-bit libraries. The 32-bit installer includes 32-bit libraries only.

2. To run the installer, double-click the .msi file that you downloaded above.
3. Follow the instructions in the installer to complete the installation process.
4. When the installation completes, click Finish.

Setting Up the Kerberos Configuration File

Settings for Kerberos are specified through a configuration file. You can set up the configuration file as an .ini file in the default location, which is the C:\ProgramData\MIT\Kerberos5 directory, or as a .conf file in a custom location.

Normally, the C:\ProgramData\MIT\Kerberos5 directory is hidden. For information about viewing and using this hidden directory, refer to Microsoft Windows documentation.

To set up the Kerberos configuration file in the default location:

1. Obtain a krb5.conf configuration file. You can obtain this file from your Kerberos administrator, or from the /etc/krb5.conf folder on the machine that is hosting the Spark Thrift Server instance.
2. Rename the configuration file from krb5.conf to krb5.ini.
3. Copy the krb5.ini file to the C:\ProgramData\MIT\Kerberos5 directory and overwrite the empty sample file.

To set up the Kerberos configuration file in a custom location:

1. Obtain a krb5.conf configuration file. You can obtain this file from your Kerberos administrator, or from the /etc/krb5.conf folder on the machine that is hosting the Spark Thrift Server instance.
2. Place the krb5.conf file in an accessible directory and make note of the full path name.
3. Open the System window:
• If you are using Windows 7 or earlier, click Start , then right-click Computer, and then click Properties.
• Or, if you are using Windows 8 or later, right-click This PC on the Start screen, and then click Properties.
4. Click Advanced System Settings.
5. In the System Properties dialog box, click the Advanced tab and then click Environment Variables.
6. In the Environment Variables dialog box, under the System Variables list, click New.
7. In the New System Variable dialog box, in the Variable Name field, type KRB5_CONFIG.
8. In the Variable Value field, type the full path to the krb5.conf file.
9. Click OK to save the new variable.
10. Make sure that the variable is listed in the System Variables list.
11. Click OK to close the Environment Variables dialog box, and then click OK to close the System Properties dialog box.

Setting Up the Kerberos Credential Cache File

Kerberos uses a credential cache to store and manage credentials.

To set up the Kerberos credential cache file:

1. Create a directory where you want to save the Kerberos credential cache file. For example, create a directory named C:\temp.
2. Open the System window:
• If you are using Windows 7 or earlier, click Start , then right-click Computer, and then click Properties.
• Or, if you are using Windows 8 or later, right-click This PC on the Start screen, and then click Properties.
3. Click Advanced System Settings.
4. In the System Properties dialog box, click the Advanced tab and then click Environment Variables.
5. In the Environment Variables dialog box, under the System Variables list, click New.
6. In the New System Variable dialog box, in the Variable Name field, type KRB5CCNAME.
7. In the Variable Value field, type the path to the folder you created above, and then append the file name krb5cache. For example, if you created the folder C:\temp, then type C:\temp\krb5cache.

Note:

krb5cache is a file (not a directory) that is managed by the Kerberos software, and it should not be created by the user. If you receive a permission error when you first use Kerberos, make sure that the krb5cache file does not already exist as a file or a directory.

8. Click OK to save the new variable.
9. Make sure that the variable appears in the System Variables list.
10. Click OK to close the Environment Variables dialog box, and then click OK to close the System Properties dialog box.
11. To make sure that Kerberos uses the new settings, restart your machine.

Obtaining a Ticket for a Kerberos Principal

A principal refers to a user or service that can authenticate to Kerberos. To authenticate to Kerberos, a principal must obtain a ticket by using a password or a keytab file. You can specify a keytab file to use, or use the default keytab file of your Kerberos configuration.

To obtain a ticket for a Kerberos principal using a password:

1. Open MIT Kerberos Ticket Manager.
2. In MIT Kerberos Ticket Manager, click Get Ticket.
3. In the Get Ticket dialog box, type your principal name and password, and then click OK.

If the authentication succeeds, then your ticket information appears in MIT Kerberos Ticket Manager.

To obtain a ticket for a Kerberos principal using a keytab file:

1. Open a command prompt:
• If you are using Windows 7 or earlier, click Start , then click All Programs, then click Accessories, and then click Command Prompt.
• If you are using Windows 8 or later, click the arrow button at the bottom of the Start screen, then find the Windows System program group, and then click Command Prompt.
2. In the Command Prompt, type a command using the following syntax:

kinit -k -t [KeytabPath][Principal]

[KeytabPath] is the full path to the keytab file. For example: C:\mykeytabs\myUser.keytab.

[Principal] is the Kerberos user principal to use for authentication. For example: myUser@EXAMPLE.COM.

3. If the cache location KRB5CCNAME is not set or used, then use the -c option of the kinit command to specify the location of the credential cache. In the command, the -c argument must appear last. For example:

kinit -k -t C:\mykeytabs\myUser.keytab myUser@EXAMPLE.COM -c C:\ProgramData\MIT\krbcache

Krbcache is the Kerberos cache file, not a directory.

To obtain a ticket for a Kerberos principal using the default keytab file:

1. Open a command prompt:
• If you are using Windows 7 or earlier, click Start , then click All Programs, then click Accessories, and then click Command Prompt.
• If you are using Windows 8 or later, click the arrow button at the bottom of the Start screen, then find the Windows System program group, and then click Command Prompt.
2. In the Command Prompt, type a command using the following syntax:

kinit -k [principal]

[principal] is the Kerberos user principal to use for authentication. For example: MyUser@EXAMPLE.COM.

3. If the cache location KRB5CCNAME is not set or used, then use the -c option of the kinit command to specify the location of the credential cache. In the command, the -c argument must appear last. For example:

kinit -k -t C:\mykeytabs\myUser.keytab myUser@EXAMPLE.COM -c C:\ProgramData\MIT\krbcache

Krbcache is the Kerberos cache file, not a directory.

Related topics

• Using Kerberos
• Using Kerberos
• Authentication Driver Configuration Options on page 1
• Active Directory