Keberos Authentication (agent only)
Supported warehouse types:
- SQL Server
In order to use Kerberos authentication for SQL Server, you must be connecting to your SQL Server instance via agent. Direct connection to SQL Server using Kerberos authentication is not currently supported.
To use Kerberos authentication, you must have the following ready, in order.
- krb5.conf file for Kerberos domain configuration
- Generated keytab file for non-interactive authentication
Example krb5.conf file
We recommend that you get this file from your security team. A krb5.conf file should look something like below. Make sure that the encryption types you have in the permitted_enctypes
list below contains the encryption type you choose in the keytab generation step.
[libdefaults]
default_realm = ABC.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
default_tkt_enctypes = aes128-cts aes256-cts
default_tgs_enctypes = aes128-cts aes256-cts
permitted_enctypes = aes128-cts aes256-cts
[domain_realm]
.abc.com = ABC.COM
[realms]
ABC.COM = {
kdc = kdc.abc.com
}
Generating keytab file
You will need a keytab file in order to authenticate with Kerberos without a password. We recommend that you ask your security team to generate this file so that they can verify it before you use it. If you need to generate it yourself, instructions are below.
- Get a working username and password combination you want to use for authentication.
- Run
ktutil
in the command line. - In the
ktutil
prompt, typeaddent -password -p <user name> -k 1 -e <encryption type>
, substitute your user name and the type of encryption you want to use. - It should now prompt you for your password, enter it here. Repeat steps 3 and 4 as desired for different users or encryption types.
- In the
ktutil
prompt, typewkt bigeye.keytab
to write the keytab file to disk, and move it to the folder where you have the rest of your agent config files.
Agent config
After you have your krb5.conf and keytab files ready, you need to do the following:
- Put the files in the directory where you have the rest of your agent config files, so that the container can pick up the files via the mount.
- Configure the agent to pick up the files from above, in the agent config.
An example of the changes you have to make in your agent config file at the root is below. If your file names are different or if the folder structure is different, change the values below to match what you have.
kerberosDomainConfigFile: /app/config/krb5.conf
kerberosKeytabFile: /app/config/bigeye.keytab
Then, for each source that you want to use Kerberos authentication for, make sure you configure the username on the source and turn on the useKerberos flag. An example is show below.
- identifier: 'sql server krb'
connectionFactory:
type: sqlserver
host: sqlserver.abc.com
databaseName: test_database
user: [email protected]
useKerberos: true
Updated 5 months ago