Keberos Authentication (agent only)

Supported warehouse types:

  • SQL Server

In order to use Kerberos authentication for SQL Server, you must be connecting to your SQL Server instance via agent. Direct connection to SQL Server using Kerberos authentication is not currently supported.

To use Kerberos authentication, you must have the following ready, in order.

  • krb5.conf file for Kerberos domain configuration
  • Generated keytab file for non-interactive authentication

Example krb5.conf file

We recommend that you get this file from your security team. A krb5.conf file should look something like below. Make sure that the encryption types you have in the permitted_enctypes list below contains the encryption type you choose in the keytab generation step.

[libdefaults] 
 	default_realm = ABC.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true
	ticket_lifetime = 24h
	default_tkt_enctypes = aes128-cts aes256-cts
  default_tgs_enctypes = aes128-cts aes256-cts
  permitted_enctypes = aes128-cts aes256-cts

[domain_realm]
	.abc.com = ABC.COM

[realms]	
	ABC.COM = {
		kdc = kdc.abc.com
	}

Generating keytab file

You will need a keytab file in order to authenticate with Kerberos without a password. We recommend that you ask your security team to generate this file so that they can verify it before you use it. If you need to generate it yourself, instructions are below.

  1. Get a working username and password combination you want to use for authentication.
  2. Run ktutil in the command line.
  3. In the ktutil prompt, type addent -password -p <user name> -k 1 -e <encryption type>, substitute your user name and the type of encryption you want to use.
  4. It should now prompt you for your password, enter it here. Repeat steps 3 and 4 as desired for different users or encryption types.
  5. In the ktutil prompt, type wkt bigeye.keytab to write the keytab file to disk, and move it to the folder where you have the rest of your agent config files.

Agent config

After you have your krb5.conf and keytab files ready, you need to do the following:

  • Put the files in the directory where you have the rest of your agent config files, so that the container can pick up the files via the mount.
  • Configure the agent to pick up the files from above, in the agent config.

An example of the changes you have to make in your agent config file at the root is below. If your file names are different or if the folder structure is different, change the values below to match what you have.

kerberosDomainConfigFile: /app/config/krb5.conf
kerberosKeytabFile: /app/config/bigeye.keytab

Then, for each source that you want to use Kerberos authentication for, make sure you configure the username on the source and turn on the useKerberos flag. An example is show below.

  - identifier: 'sql server krb'
    connectionFactory:
      type: sqlserver
      host: sqlserver.abc.com
      databaseName: test_database
      user: [email protected]
      useKerberos: true