Configuring single sign-on with Kerberos

On a Windows platform, the IBM Netezza ODBC driver supports using empty username to enable reading user from Kerberos ticket stored in Kerberos Cache. This allows you to skip supplying the user and password during ODBC connection.

About this task

This feature requires the Netezza PureData System for Analytics to be in Kerberos authentication mode. This feature is provided starting with version 7.2.1.4. Perform the following steps to enable the Single Sign-On feature.

Procedure

  1. Install the Netezza 7.2.1.4 Windows ODBC driver.
  2. Add the Netezza ODBC Data source.
  3. Enable to ODBC Data source setting to read user from Kerberos Cache.
  4. Open the Advanced DSN Options tab enable the check box for Force Cache Username.
  5. Click OK.
  6. Configure Kerberos:
    1. Copy /nz/data/config/krb5.conf file from the Netezza PDA Server to the Windows client system and rename it to krb5.ini
    2. Copy the krb5.ini to the location of your choice:
      • default location C:\ProgramData\MIT\Kerberos5
      • any other customized location such as C:\Windows\krb5.ini and then set the system environment variable KRB5_CONFIG to this customized location.

Results

Once this option is enabled, the user cannot provide username while connecting to NPS system from ODBC driver. The username is fetched directly from existing ticket in Kerberos cache.