Zoomdata Version

Configuring Kerberos SSO Settings

Kerberos is an enterprise authentication protocol that uses the concept of tickets and three-way authentication to enable users and computers to identify themselves and secure access to resources.

Zoomdata now supports Kerberos as a Single Sign On (SSO) mechanism in addition to our existing SSO support for SAML and X.509 client certificates.  Using Kerberos SSO, users can seamlessly log into Zoomdata and administrators can completely externalize and centrally manage users, role, or group memberships using their existing Kerberos infrastructure. You can learn more about Kerberos here .

HOW IT WORKS

When using Kerberos with Zoomdata, the workflow is as follows:

  1. A user logs in to his company domain (for example, logging into his windows workstation) and is authenticated with Kerberos.  In the case of Windows environments, this is likely Active Directory.
  2. In a browser window, a user visits the Zoomdata application and Zoomdata then leverages the user's Kerberos identity to automatically log them into Zoomdata. If this is a users first visit to Zoomdata, then Zoomdata will auto-provision them as a new user in the Zoomdata environment.
  3. Kerberos authentication is often paired with LDAP to look up a user's authorization or group membership.  Zoomdata will look up the user's role or group membership. For more information, see the article on LDAP .


Prerequisites

Before you start configuring settings for Zoomdata to use Kerberos, you must:

  • create a Kerberos Principal. For more information on how to create a Kerberos Principal, refer to Kerberos documentation .
  • create the keytab file on the instance where KDC runs and upload it to Zoomdata Server.

How to Generate the Keytab File

To generate .keytab for existing AD users, run the following command on AD server:

ktpass
-out file_name .keytab
-princ HTTP/zoomdata_host @ realm
-mapUser user_name
–pass user_password
-crypto RC4-HMAC
-pType KRB5_NT_PRINCIPAL

To generate .keytab for existing MIT LDAP user, run the following command on LDAP server side:

$kadmin
kadmin: xst -e "rc4-hmac" -k file_name .keytab HTTP/zoomdata_host @ realm

Configuring General Settings

To configure the Kerberos settings for Zoomdata Server, complete the following steps:

  1. Enable the Kerberos SSO service under the Security Services tab. Keep in mind, that if you have SAML or x509 authentication enabled, you will have to disable them first to use Kerberos.
  2. Restart the Zoomdata Server by running the following command:

    sudo service zoomdata restart
  3. Log in as a supervisor and click Security . Navigate to the Kerberos Settings tab.
  4. Toggle the Enable Kerberos switch on.
  5. Specify the Kerberos Service Principal .
  6. Click Upload Kerberos Keytab File and upload the .keytab file, that you have generated before.
  7. Select the Include Kerberos realm/domain name in auto provisioned Zoomdata username if you want to have the user name in the following format: [email protected]
  8. Save your settings.

Configuring the Settings on the Client Side

Perform the steps listed below on the client instance that will connect to kerberized Zoomdata.

  1. Install the Kerberos command line tools:
sudo yum install krb5-workstation
sudo yum install krb5-libs
  1. Navigate to krb5.conf file and specify the host on which Zoomdata server runs:
[libdefaults]
default_realm = ZOOMDATA.LOCAL
[realms]
ZOOMDATA.LOCAL = {
kdc = zoomdata_host .local
admin_server = zoomdata_host .local
}
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5.log
[domain_realm]
.zoomdata.local = ZOOMDATA.LOCAL
zoomdata.local = ZOOMDATA.LOCAL
  1. List all the Kerberos tickets available on the current instance:
klist
  1. Remove all the Kerberos tickets (if there are any):
kdestroy -A
  1. Obtain a Kerberos ticket for a user (the realm is not required if there is a default one specified in krb5.conf):
  1. Configure your browser to support Kerberos SSO to Zoomdata.
To authenticate a user with a Kerberos ticket in Zoomdata, you must either enable LDAP-autoprovisioning or create a user with the same name in Zoomdata.

Was this topic helpful?