Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

Similar documents
How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x

How to Run a PowerCenter Workflow from SAP

Migrating Mappings and Mapplets from a PowerCenter Repository to a Model Repository

Understanding the Local KDC

Configuring SAML-based Single Sign-on for Informatica Web Applications

PowerExchange for Facebook: How to Configure Open Authentication using the OAuth Utility

Enabling SAML Authentication in an Informatica 10.2.x Domain

Subversion Plugin HTTPS Kerberos authentication

Using Synchronization in Profiling

SAS Grid Manager and Kerberos Authentication

Kerberos and NFS4 on Linux. isginf Workshop

How to Use Full Pushdown Optimization in PowerCenter

How to Run the Big Data Management Utility Update for 10.1

How to Integrate an External Authentication Server

How to Configure Big Data Management 10.1 for MapR 5.1 Security Features

Increasing Performance for PowerCenter Sessions that Use Partitions

Code Page Configuration in PowerCenter

Creating Column Profiles on LDAP Data Objects

How to Configure the SAP Secure Network Communication Protocol in PowerCenter Version 9.6.x

Changing the Password of the Proactive Monitoring Database User

Publishing and Subscribing to Cloud Applications with Data Integration Hub

Running PowerCenter Advanced Edition in Split Domain Mode

Creating a Subset of Production Data

Business Glossary Best Practices

Security Provider Integration: Kerberos Server

Active Directory Attacks and Detection

One Identity Defender 5.9. Product Overview

Pyramid 2018 Kerberos Guide Guidelines and best practices for how deploy Pyramid 2018 with Kerberos

Creating OData Custom Composite Keys

How to Optimize Jobs on the Data Integration Service for Performance and Stability

Optimizing Session Caches in PowerCenter

Using Data Replication with Merge Apply and Audit Apply in a Single Configuration

Novell Kerberos Login Method for NMASTM

Using Standard Generation Rules to Generate Test Data

Security Provider Integration Kerberos Server

Security Enhancements in Informatica 9.6.x

Configuring Kerberos

Configuring a JDBC Resource for IBM DB2/ iseries in Metadata Manager HotFix 2

Dynamic Data Masking: Capturing the SET QUOTED_IDENTIFER Value in a Microsoft SQL Server or Sybase Database

Active Directory Attacks and Detection

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

User Authentication Principles and Methods

Florence Blanc-Renaud Senior Software Engineer - Identity Management - Red Hat

DoD Common Access Card Authentication. Feature Description

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

FULLY QUALIFIED DOMAIN NAMES (FQDNS) IN ACTIVE DIRECTORY CANNOT EXCEED 64 CHARACTERS IN TOTAL LENGTH, INCLUDING HYPHENS AND PERIODS (.).

AUTHENTICATION APPLICATION

Configuring Secure Communication to Oracle to Import Source and Target Definitions in PowerCenter

<Insert Picture Here> Active Directory and Windows Security Integration with Oracle Database

TIBCO Spotfire Connecting to a Kerberized Data Source

Detecting Outliers in Column Profile Results in Informatica Analyst

Container-based Authentication for MDM- ActiveVOS in WebSphere

HP Operations Orchestration Software

Informatica Cloud Spring Complex File Connector Guide

CPSC 467b: Cryptography and Computer Security

Pre-Installation Tasks Before you apply the update, shut down the Informatica domain and perform the pre-installation tasks.

Kerberos and Active Directory symmetric cryptography in practice COSC412

Aggregate Data in Informatica Developer

Network Security Essentials

MIT Kerberos & Red Hat

VMware Identity Manager Administration

Data Validation Option Best Practices

Using MDM Big Data Relationship Management to Perform the Match Process for MDM Multidomain Edition

Likewise Open provides smooth integration with Active Directory environments. We show you how to install

How to Configure MapR Hive ODBC Connector with PowerCenter on Linux

PowerCenter Repository Maintenance

Exam : JN Title : Juniper Networks Certified Internet Assoc(JNCIA-SSL) Exam. Version : Demo

Pentaho, Linux, and Microsoft Active Directory Authentication with Kerberos

Proposed User Experience for Handling Multiple Identity Providers in Network Identity Manager 2.0

How to Convert an SQL Query to a Mapping

Network Security: Kerberos. Tuomas Aura

Data Integration Service Optimization and Stability

Directory Services. MacSysAdmin 2012

ZENworks 11 Support Pack 4 User Source and Authentication Reference. October 2016

Security Provider Integration Kerberos Authentication

Host Access Management and Security Server Administrative Console Users Guide. August 2016

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

One Identity Authentication Services Defender Integration Guide

How to Migrate RFC/BAPI Function Mappings to Use a BAPI/RFC Transformation

Smart Cards for Remote Authentication 3. Prerequisites 3. Install the Smart Card Driver 4

SAS Viya 3.3 Administration: Authentication

Remote Support Security Provider Integration: RADIUS Server

How to Install and Configure EBF16193 for Hortonworks HDP 2.3 and HotFix 3 Update 2

Creating a Column Profile on a Logical Data Object in Informatica Developer

Arcserve Backup for Windows

Kerberos User Guide. Release 1.13 MIT

Configuring Intelligent Streaming 10.2 For Kafka on MapR

Centrify Infrastructure Services

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

FreeIPA. Directory and authentication services the easy way. Christian Stankowic. Free and Open Source software Conference

New Features and Enhancements in Big Data Management 10.2

Updates from MIT Kerberos

Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology. Kerberos 5 Upgrade

White Paper. Fabasoft on Linux - Fabasoft Folio Web Management. Fabasoft Folio 2017 R1 Update Rollup 1

Factotum Sep. 24, 2007

Customer Online Support Demonstration. 1

Cryptography and Network Security

Cloud Access Manager Overview

Setting Up Identity Management

Spotfire Security. Peter McKinnis July 2017

Transcription:

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain Copyright Informatica LLC 2016, 2018. Informatica LLC. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica LLC. All other company and product names may be trade names or trademarks of their respective owners and/or copyrighted materials of such owners.

Abstract Two-factor authentication (2FA), utilizing smart cards or USB tokens, is a popular network security mechanism. This article explains how two-factor authentication works in an Informatica domain configured to use Kerberos authentication. The information in the article might also be useful when troubleshooting authentication issues. Supported Versions Informatica Big Data Management 9.6.1, 10.0, 10.1 Informatica Data Quality 9.6.1, 10.0, 10.1 Informatica Data Services 9.6.1, 10.0, 10.1 Informatica PowerCenter 9.6.1, 10.0, 10.1 Table of Contents Overview.... 2 Requirements.... 2 How It Works.... 3 View the Kerberos Tickets Created for a User.... 4 Increase the Kerberos Buffer Size to Accommodate Large Tokens.... 5 Overview You must first establish connectivity using two-factor authentication (2FA) to your internal network utilizing smart cards or USB tokens. After an Informatica client user logs in to the network using two-factor authentication, Informatica uses the Kerberos authentication protocol to enable the user to access assets such as nodes and services within the Informatica domain hosted on supported platforms as per the PAM. The following Informatica clients on a 2FA enabled Windows server can connect to a Kerberos-enabled Informatica domain: Thick clients such as the PowerCenter Client and Informatica Developer (the Developer tool) Web clients such as Informatica Administrator (the Administrator tool) Command-line clients such as infacmd, pmcmd, and pmrep Kerberos tickets enable Informatica client users to authenticate with Informatica domain assets, without requiring users to log in to each asset. You can view the Kerberos tickets generated for client users to help troubleshoot issues. You can also increase the Kerberos token buffer size if needed to resolve authentication failures. Requirements Validate the following requirements to ensure that two-factor authentication is done before connecting to the Informatica domain: Verify that the Windows server hosting the Informatica client tools is configured to use two-factor authentication. Confirm that the network is configured to use Microsoft Active Directory, which maintains user account information required by Kerberos. 2

Ensure that the Informatica domain is configured to use Kerberos authentication. You can enable Kerberos authentication during the Informatica domain installation, or use the Informatica command line programs to configure it post-installation. See the Informatica Installation and Configuration Guide for instructions on configuring an Informatica domain during installation. See the Informatica Security Guide for more information about configuring an Informatica domain to use Kerberos authentication post-installation. Note: Informatica does not support cross-realm or multi-realm Kerberos authentication. The Informatica domain nodes, the Kerberos authentication server, and the computers hosting Informatica clients must all be in the same Kerberos realm. How It Works The Informatica two-factor authentication implementation uses Kerberos tickets to authenticate Informatica client users on assets such as nodes and services within the Informatica domain. The following outline describes the basic Kerberos authentication flow: An Informatica client user logs in to a network computer hosting an Informatica client using a device such as a smart card or a USB token. The login request is directed to the Authentication Server, a component of the Kerberos Key Distribution Center (KDC). The KDC is a network service with access to user account information that runs on each domain controller within the Active Directory domain. The Authentication Server creates a Kerberos token called a Ticket-Granting-Ticket (TGT) on the user's computer. 3

The user attempts to access an asset within the Informatica domain through an Informatica client. Informatica and the Kerberos libraries use the TGT to request a service ticket and session key for the requested domain asset from the Ticket Granting Server, which also runs within the KDC. For example, if the user accesses a PowerCenter Repository Service from the PowerCenter Client, the TGT requests a service ticket for the node the PowerCenter Repository Service is running on. The TGT also requests a service ticket for the PowerCenter Repository Service. The service ticket is cached on the computer hosting the Informatica client, enabling the client to use the ticket as long as it remains valid. If the user shuts down and then restarts the Informatica client, the client reuses the same ticket to access assets within the Informatica domain. Forwardable and Renewable Tickets The Ticket Flags field notes any Kerberos ticket flags set on the ticket. If a TGT or service ticket is flagged as renewable, the Informatica client can renew ticket at any point during the login session, without requiring the user to provide login credentials. If a ticket is flagged as forwardable, Kerberos can use it to authenticate the user on a remote server, and enable the user to run an Informatica client on that server. For example, if the user wants to use the Secure Socket Shell (SSH) protocol to run the pmcmd command-line client on a remote server, Kerberos requests a service ticket for the remote server on the user's computer. Kerberos also forwards the original TGT to the remote server, so new service tickets can be created on the remote server. The user is therefore able to access Informatica domain assets from the Informatica client running on the remote server, without having to log in on the remote server. The following image shows the output of the Windows klist command, which lists details for the Kerberos tickets cached on an Informatica client user's computer. The krbtgt in the service name identifies the ticket shown as a TGT. The Ticket Flags field indicates that the ticket is both forwardable and renewable. View the Kerberos Tickets Created for a User You can use the Windows klist command to view the cached Kerberos ticket-granting-tickets and service tickets created for an Informatica client user. You might want to view tickets when trying to troubleshoot authentication issues. At minimum, it can be used to verify that a Kerberos ticket has been issued to the user. To view the tickets created for a user on a computer hosting an Informatica client, type klist at the Windows command prompt. This the default option for the command, and returns all cached Kerberos tickets for network services the user has authenticated with. 4

Increase the Kerberos Buffer Size to Accommodate Large Tokens You can increase the Kerberos buffer size on computers hosting Informatica clients if large tokens cause user authentication issues. Depending on the Windows network configuration, Kerberos tickets created for a user may include Privilege Account Certificate (PAC) information. The PAC structure contains such data such as the user's security identifiers, group membership, user profile information, and password credentials. Depending on the amount of data stored, the PAC might make Kerberos tokens larger than the default allocated buffer size, resulting in authentication failures. You can increase the Kerberos buffer size by adding the following value to the HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Lsa\Kerberos\Parameters registry key on computers hosting Informatica clients: Entry: MaxTokenSize Type: REG_DWORD Base: Decimal Data: 48000 Author Dan Hynes Principal Technical Writer 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback