Zoomdata Version

Configuring Kerberos Single Sign-On (SSO) Settings

Kerberos is an enterprise authentication protocol that uses the concept of tickets and three-way authentication to enable users and computers to identify themselves and secure access to resources.

Zoomdata now supports Kerberos as a Single Sign On (SSO) mechanism in addition to our existing SSO support for SAML and X.509 client certificates. Using Kerberos SSO, users can seamlessly log into Zoomdata and administrators can completely externalize and centrally manage users or group memberships using their existing Kerberos infrastructure. You can learn more about Kerberos here .

How It Works

When using Kerberos with Zoomdata, the workflow is as follows:

  1. A user logs in to his company domain (for example, logging into his windows workstation) and is authenticated with Kerberos. In the case of Windows environments, this is likely Active Directory.
  2. In a browser window, a user visits the Zoomdata application and Zoomdata then leverages the user's Kerberos identity to automatically log them into Zoomdata. If this is a users first visit to Zoomdata, then Zoomdata will auto-provision them as a new user in the Zoomdata environment.
  3. Kerberos authentication is often paired with LDAP to look up a user's authorization or group membership. Zoomdata will look up the user's group membership. For more information, see the topic on Using Lightweight Directory Access Protocol (LDAP) With Zoomdata .

Prerequisites

Before you start configuring settings for Zoomdata to use Kerberos, you must:

  • Create a Kerberos Principal. For more information on how to create a Kerberos Principal, refer to Kerberos documentation .
  • Create the keytab file on the instance where KDC runs and upload it to Zoomdata Server.

How to Generate the Keytab File

To generate the .keytab file for existing AD users, run the following command on AD server:

ktpass   
-out <file_name>.keytab
-princ <HTTP/zoomdata_host> @<realm>
-mapUser <user_namegt;
–pass <user_password>
-crypto RC4-HMAC
-pType KRB5_NT_PRINCIPAL

To generate the .keytab file for existing MIT LDAP user, run the following command on LDAP server side:

$kadmin   
kadmin: xst -e "rc4-hmac" -k <file_name>.keytab <HTTP/zoomdata_host> @<realm>

Configuring General Settings

To configure the Kerberos settings for Zoomdata Server, complete the following steps:

  1. Enable the Kerberos SSO service on the Security Services tab. Keep in mind, that if you have SAML or x509 authentication enabled, you will have to disable them first to use Kerberos.
  2. Restart the Zoomdata server by running the following command:

    sudo service zoomdata restart
  3. Log in as a supervisor and click Security. Navigate to the Kerberos Settings tab.
  4. Toggle the Enable Kerberos switch on.
  5. Specify the Kerberos Service Principal.
  6. Click Upload Kerberos Keytab File and upload the .keytab file, that you have generated before.
  7. Select the Include Kerberos realm/domain name in auto provisioned Zoomdata username if you want to have the user name in the following format: username@realm.
  8. Save your settings.

Configuring the Settings on the Client Side

Perform the steps listed below on the client instance that will connect to kerberized Zoomdata.

  1. Install the Kerberos command line tools:

    sudo yum install krb5-workstation   
    sudo yum install krb5-libs
  2. Navigate to the krb5.conf file and specify the host on which Zoomdata server runs:

    [libdefaults]   
    default_realm = ZOOMDATA.LOCAL
    [realms]
    ZOOMDATA.LOCAL = {
    kdc = <zoomdata_host>.local
    admin_server = <zoomdata_host>.local
    }
    [logging]
    default = FILE:/var/log/krb5.log kdc = FILE:/var/log/krb5.log [domain_realm]
    .zoomdata.local = ZOOMDATA.LOCAL
    zoomdata.local = ZOOMDATA.LOCAL
  3. List all the Kerberos tickets available on the current instance:

    klist
  4. Remove all the Kerberos tickets (if there are any):

    kdestroy -A
  5. Obtain a Kerberos ticket for a user (the realm is not required if there is a default one specified in krb5.conf):

    kinit user@ZOOMDATA.LOCAL
  6. Configure your browser to support Kerberos SSO to Zoomdata.

To authenticate a user with a Kerberos ticket in Zoomdata, you must either enable LDAP autoprovisioning or create a user with the same name in Zoomdata.

Was this topic helpful?