Configuring Kerberos Authentication on Windows

You can configure the connector to use the Kerberos protocol to authenticate the connection.

When you log in to Windows, the operating system automatically caches your credentials. When the connector is run, it loads your Kerberos credentials from the Windows Kerberos cache.

When using Kerberos authentication:

  • The connector sends the Kerberos default user principal name as the user name.
  • When GSSAPI is enabled (MIT Kerberos) and the Kerberos ticket is generated, the default user principal name is retrieved from the MIT Kerberos credential cache.
  • When GSSAPI is disabled (AD Kerberos) and the Kerberos ticket is generated, the default user principal name is retrieved from the Windows Kerberos credential cache.
  • If the connector is unable to retrieve the Kerberos default user principal name in either case of MIT or AD Kerberos, the connector sends the default user name StarburstODBC_Driver, and reports a warning in the connector logs.

Note:

If Kerberos authentication is enabled, then SSL is automatically enabled.

To configure the connector to use Kerberos authentication on Windows:

  1. Open the ODBC Data Source Administrator where you created the DSN, select the DSN, and then click Configure. The DSN Setup dialog box opens.
  2. From the Authentication Type drop-down list, select Kerberos Authentication.
  3. To use the MIT Kerberos library, select the Use GSSAPI check box.
  4. Optionally, to generate a ticket using a Kerberos user name and password:
    1. Select the Use Existing Kerberos Credentials check box to use the existing Kerberos Credentials, or clear the check box to generate new credentials.
    2. Click Kinit Options. The Kinit Options dialog box opens.
    3. From the Kinit Type drop-down list, select Kinit with Password.
    4. Optionally, to forward the generated Kerberos credentials, select Delegate Kerberos Credentials.
    5. In the Kerberos Username field, type your Kerberos user name.
    6. In the Kerberos Password field, type your Kerberos password.
  5. Optionally, to generate a ticket using a Kerberos user name and a keytab file:
    1. Select the Use Existing Kerberos Credentials check box to use the existing Kerberos Credentials, or clear the check box to generate new credentials.
    2. Click Kinit Options. The Kinit Options dialog box opens.
    3. From the Kinit Type drop-down list, select Kinit with Keytab.
    4. Optionally, to forward the generated Kerberos credentials, select Delegate Kerberos Credentials.
    5. In the Kerberos Username field, type your Kerberos user name.
    6. In the Keytab File Path field, select the full path of the keytab file.
  6. Optionally, to use a service principal name other than the default of HTTP, in the Service Name field, type the service name of the Starburst Enterprise server.
  7. To configure client-server verification over SSL, click SSL Options. For more information, see Configuring SSL Verification on Windows.
  8. To save your settings and close the dialog box, click OK.

You can now use the connector to authenticate through Kerberos and connect to your Starburst Enterprise server.