Using Kerberos Authentication with Delegated Credentials

</jdbc-type-settings>

11.5.2.3 Using Kerberos Authentication for JDBC Data Sources

Configuration of Kerberos authentication for JDBC data source is performed in a sim-ilar way as for the connection to the Spotfire database. See section “Using Kerberos to Log In to the Spotfire Database” on page 100 for more information.

Example: Configuring a connection pool for Oracle databases

<jdbc-type-settings>

<type-name>oracle</type-name>

<driver>oracle.jdbc.OracleDriver</driver>

<connection-url-pattern>jdbc:oracle:thin:@&lt;host&gt;:&lt;port1521&gt;:&lt;sid&gt;</

connection-url-pattern>

<ping-command>SELECT 1 FROM DUAL</ping-command>

<connection-properties>

<connection-property>

<key>spotfire.kerberos.login.context</key>

<value>DatabaseKerberos</value>

</connection-property>

<connection-property>

<key>oracle.net.authentication_services</key>

<value>( KERBEROS5 )</value>

</connection-property>

</connection-properties>

...

</jdbc-type-settings>

11.5.2.4 Using Kerberos Authentication with Delegated Credentials

To make users authenticate to different data sources with their own single sign-on login information, the server can delegate the user authentication to the data source.

This is only possible if you use the Kerberos single sign-on method.

In order to set this up, there are a number of steps that must be taken. Each of these steps is described in detail below.

1 Set up Kerberos authentication as described in the section “Kerberos Authentication”

on page 66. Make sure that users are able to log in with this method.

2 Grant the Spotfire Server service account used for client authentication the right to delegate client credentials.

3 Create a JDBC data source template using Kerberos login

Grant the Spotfire Server Service Account the Right to Delegate Client Credentials

If your Window Domain is using Windows Server 2003 or later, grant constrained del-egation rights to the service account: Only the specified accounts can be delegated by the service account. If you are using an earlier version of Windows Server or can’t use this method, grant unconstrained delegation rights. Both methods are described below.

Note: In order for delegation to work, you must also ensure that no client user account in the domain has the setting Account is sensitive and cannot be delegated. By default, this is not set.

 To enable constrained delegation:

1 On the Domain Controller, select Start > Programs > Administrative Tools.

2 Select Active Directory Users and Computers.

3 Locate the account.

4 Right-click the account name, and then click Properties to open the account properties.

5 On the Delegation tab, select Trust this user for delegation to specified services only.

Note: The Delegation tab is only visible for accounts that SPNs are mapped to.

6 Select Use any authentication protocol.

7 Click Add.

8 Click Users or Computers and select the account that Spotfire Server has a keytab for and the SPNs are mapped to.

9 Select all services that apply and click OK.

10 Click Apply.

 To enable unconstrained delegation for a on a Domain Controller in Windows 2000 Mixed or Native Mode:

1 On the Domain Controller, select Start > Programs > Administrative Tools.

2 Select Active Directory Users and Computers.

3 Locate the account.

4 Right-click the account name, and then click Properties to open the account properties.

5 Select the Account tab and select Account is trusted for delegation in the Account Options list.

6 Click Apply.

 To Enable Unconstrained Delegation on a Domain Controller in Windows Server 2003 Mode:

1 On the Domain Controller, select Start > Programs > Administrative Tools.

2 Select Active Directory Users and Computers.

3 Locate the account.

4 Right-click the account name, and then click Properties to open the account properties.

5 On the Delegation tab, select Trust this user for delegation to any service (Kerberos only), and then click Apply.

Note: The Delegation tab is only visible for accounts that SPNs are mapped to.

Create an Information Services data source template using Kerberos login The default Information Services Data Source templates shipped with Spotfire Server are not configured to use Kerberos. You must therefore create a new data source tem-plate based on one shipped.

 To Create an Information Services data source using Kerberos login:

1 Use the list‐ds‐template (page 257) command to list the existing data source templates and select one that matches the database you are setting up, for example Oracle.

2 Use the export‐ds‐template (page 245) command to export the definition of the selected data source template.

3 In a text editor, open the exported definition file.

Add the JDBC connection property key spotfire.connection.pool.factory.data.source with the value kerberos.data.source within the connection‐properties element. If there is no connection‐properties element, create one.

There may also be other connection properties you must add - consult the documenta-tion of the database server for more informadocumenta-tion. See “Defining JDBC Connecdocumenta-tion Properties” on page 163 for general instructions about adding connection properties.

Example:

<jdbc-type-settings>

<type-name>oracle</type-name>

<driver>oracle.jdbc.OracleDriver</driver>

<connection-url-pattern>jdbc:oracle:thin:@&lt;host&gt;:&lt;port1521&gt;:&lt;sid&gt;</

connection-url-pattern>

<ping-command>SELECT 1 FROM DUAL</ping-command>

<connection-properties>

<connection-property>

<key>spotfire.connection.pool.factory.data.source</key>

<value>kerberos.data.source</value>

</connection-property>

<connection-property>

<key>oracle.net.authentication_services</key>

<value>(KERBEROS5)</value>

</connection-property>

</connection-properties>

4 Use the add‐ds‐template command (page 193) to add the new data source template with a suitable name, like oracle_kerberos, using the modified template definition.

5 Import the configuration and restart the server.