Kerberos Single Sign-On

Exasol supports single-sign functionality using Kerberos. By supporting Kerberos based single sign-on (in JDBC and ODBC), users can authenticate to Exasol using their Kerberos credentials. This allows for a seamless user experience.

Kerberos is centered around its Key Distribution Center (KDC). To use Kerberos based single sign-on in Exasol, a keytab file must be provided by your Key Distribution center or by your Active Directory administrator for Windows system. This keytab file consists of the service principles for Exasol databases. This keytab file is uploaded through EXAoperation.

Enable Kerberos in Exasol

You can follow the below steps to enable Kerberos in Exasol.

  1. In EXAoperation, go to Services > EXASolution and select the database name to open EXASolution Instance for it.
  2. Shut down the database if it is running by selecting Shutdown from the Actions... drop down list and click Submit. Wait until the database is offline.
  3. Upload the keytab file to be used in the cluster. Click the Browse button located at the bottom and then click Upload Keytab File.
  4. As an optional step after you have uploaded the keytab file, you can set additional parameter values. Click Edit to edit the database and set the values for the following parameters: 
    • Kerberos Service Name
    • Kerberos Host Name
    • Kerberos Realm

    Setting these values are optional. For a brief description of these parameters, refer to the Kerberos Parameters table below.

  5. Click Apply and then start the database.

Kerberos Parameters
Parameters Description
Kerberos Service Name

If a Kerberos Service Name is specified, then only the specified Kerberos service can be requested by the client. If no service name is specified, any Kerberos service requested by the client is accepted provided that the service exists in the uploaded keytab file.

The default Kerberos Service Name is exasol.

Kerberos Host Name

If a Kerberos Host Name is specified, then only that hostname is accepted by the client, regardless of whether the uploaded keytab file contains entries for other hostnames.

The hostname of the Kerberos principal is valid cluster-wide, which means that it can be considered virtual. If no hostname is specified, the hostname will not be checked during Kerberos authentication.

Kerberos Realm

If a Kerberos realm is specified, then only users of this realm will be accepted, regardless of whether the uploaded keytab contains entries for other realms.

If no Kerberos realm is specified, then by default users from all the realms are accepted, provided there is an entry of the realm in the keytab file.