Configuring Kerberos Authentication for Windows

IMPORTANT This component is deprecated. Hewlett Packard Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.

You can configure Kerberos Authentication for Windows through Active Directory or MIT Kerberos.

Active Directory

The MapR ODBC Driver for Impala supports Active Directory Kerberos on Windows. Before you can use Active Directory Kerberos on Windows, the following prerequisites must be met:

MIT Kerberos is not installed on the client Windows machine.
The MIT Kerberos Hadoop realm has been configured to trust the Active Directory realm, so that users in the Active Directory realm can access services in the MIT Kerberos Hadoop realm.

MIT Kerberos

To use Kerberos, you must download and install MIT Kerberos for Windows 4.0.1.

Complete the following steps to use MIT Kerberos:

Download MIT Kerberos for Windows 4.0.1.
- Download for 64-bit Computers
  
  To download the Kerberos installer for 64-bit computers, use the following download link from the MIT Kerberos website:
  
  http://web.mit.edu/kerberos/dist/kfw/4.0/kfw-4.0.1-amd64.msi
  
  This installer includes both 32-bit and 64-bit libraries.
- Download for 32-bit Computers
  
  To download the Kerberos installer for 32-bit computers, use the following download link from the MIT Kerberos website:
  
  http://web.mit.edu/kerberos/dist/kfw/4.0/kfw-4.0.1-i386.msi
  
  This installer includes 32-bit libraries only.
Run the MIT Kerberos for Windows 4.0.1 installer.
1. To run the installer, double-click the .msi file that you downloaded.
2. Follow the instructions in the installer to complete the installation process.
3. When the installation completes, click Finish.
Setup the Kerberos configuration file.
Settings for Kerberos are specified through a configuration file. You can set up the configuration file as a .ini file in the default location (the C:\ProgramData\MIT\Kerberos5directory) or as a .conf file in a custom location.
Normally, the C:\ProgramData\MIT\Kerberos5 directory is hidden. Consult your Windows documentation if you want to view and use this hidden directory.
Setup in the Default Location
To set up the Kerberos configuration file in the default location, obtain the krb5.conf configuration file from your Kerberos administrator. Alternatively, you can obtain the /etc/krb5.conf configuration file on the machine that is hosting the Impala server and then complete the following steps:
1. Rename the configuration file from krb5.conf to krb5.ini.
2. Copy the krb5.ini file to the C:\ProgramData\MIT\Kerberos5 directory, and overwrite the empty sample file.
Note: For more information on configuring Kerberos, consult the MIT Kerberos documentation.
Setup in a Custom Location
To set up the Kerberos configuration file in a custom location, obtain the krb5.conf configuration file from your Kerberos administrator. Alternatively, you can obtain the /etc/krb5.conf configuration file on the machine that is hosting the Impala server and then complete the following steps:
1. Place the krb5.conf file in an accessible directory and make note of the full path name.
2. Click Start, then right-click Computer, and then click Properties.
3. Click Advanced system settings. In the System Properties dialog, click the Advanced tab, and then click Environment Variables.
4. In the Environment Variables dialog, under the System variables list, click New.
5. In the New System Variable dialog, in the Variable Name field, type KRB5_CONFIG.
6. In the Variable Value field, type the absolute path to the krb5.conf file from step 2.
7. Click OK to save the new variable.
8. Ensure the variable is listed in the System variables list.
9. Click OK to close the Environment Variables dialog, and then click OK to close the System Properties dialog.
Setup the Kerberos Credential Cache File. Kerberos uses a credential cache to store and manage credentials. To set up the Kerberos credential cache file, complete the following steps:
1. Create a directory where you want to save the Kerberos credential cache file. For example, create the following directory: C:\temp
2. Click Start, then right-click Computer,and then click Properties.
3. Click Advanced system settings.
4. In the System Properties dialog, click the Advanced tab, and then click Environment Variables.
5. In the Environment Variables dialog, under the System variables list, click New.
6. In the New System Variable dialog, in the Variable Name field, type KRB5CCNAME.
7. In the Variable Value field, type the path to the folder you created in step 0, and then append the file name krb5cache For example, if you created the folder C:\temp in step 0, then type C:\temp\krb5cache.
Note: krb5cache is a file (not a directory) that is managed by the Kerberos software, and it should not be created by the user. If you receive a permission error when you first use Kerberos, ensure that krb5cache does not already exist as a file or a directory.
1. Click OK to save the new variable.
2. Ensure the variable appears in the System variables list.
3. Click OK to close the Environment Variables dialog, and then click OK to close the System Properties dialog.
4. To ensure that Kerberos uses the new settings, restart your computer.
Obtain a Ticket for a Kerberos Principal. A principal is a user or service that can authenticate to Kerberos. To authenticate to Kerberos, a principal must obtain a ticket by using a password or a keytab file. You can specify a keytab file to use, or use the default keytab file of your Kerberos configuration.
Obtain a Ticket Using a Password
1. Click the Start button, then click All Programs, and then click the Kerberos for Windows (64-bit) or the Kerberos for Windows (32-bit) program group.
2. Click MIT Kerberos Ticket Manager.
3. In the MIT Kerberos Ticket Manager, click Get Ticket.
4. In the Get Ticket dialog, type your principal name and password, and then click OK.
If the authentication succeeds, then your ticket information appears in the MIT Kerberos Ticket Manager.
Obtain a Ticket Using a keytab File
1. Click the Start button > All Programs > Accessories > Command Prompt.
2. In the Command Prompt, type a command using the following syntax:
```
kinit -k -t keytab_file principal
```
keytab_file is the full path to the keytab file.
For example:
```
C:\mykeytabs\impalaserver.keytab
```
principal is the Kerberos principal to use for authentication.
For example:
```
 impala/impalaserver.example.com@EXAMPLE.COM
```
If the cache location KRB5CCNAME is not set or not used, then use the -c option of the kinit command to specify the credential cache. In the command, the -c argument must appear last. For example:
```
kinit -k -t C:\mykeytabs\impalaserver.keytab
        impala/fully.qualified.domain.name@your-realm.com -c
      C:\ProgramData\MIT\krbcache
```
Note: krbcache is the Kerberos cache file, not a directory.
Obtain a Ticket Using the Default keytab File
Note: For instructions on configuring a default keytab file for your Kerberos configuration, consult the MIT Kerberos documentation.
1. Click the Start button > All Programs > Accessories > Command Prompt
2. In the Command Prompt, type a command using the following syntax:
```
kinit -k principal
```
principal is the principal to use for authentication.
For example:
```
 impala/impalaserver.example.com@EXAMPLE.COM
```
If the cache location KRB5CCNAME is not set or not used, then use the -c option of the kinit command to specify the credential cache. In the command, the
-c argument must appear last.
For example:
```
kinit -k impala/fully.qualified.domain.name@your-realm.com -c C:\ProgramData\MIT\krbcache
```
Note: krbcache is the Kerberos cache file, not a directory.