17.10 - Diagnosing Logon Failure Due to Incorrect Realm Information - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

Directory users may receive the generic error message, “SSO logon failed by gateway.” This message is often related to entry of (or defaulting to) an invalid directory server realm name.

To help diagnose the problem, you can run the same tdsbind -u input shown in Example: Tdsbind Output for a Directory User Mapped to a Database User. If the command produces the following error message, the LdapServerRealm property in the TDGSS user configuration file contains an invalid realm name.

tds_bind: Directory error - Invalid Credentials
additional info: SASL(-1): generic failure: realm changed: authentication aborted

You can correct this error by editing the value of the LdapServerRealm property. See LdapServerRealm [Deprecated].

Once the value of the LdapServerRealm is correct, run tdgsstestcfg to verify the configuration is correct, run_tdgssconfig to update the TDGSSCONFIG GDO, and run tpareset if run_tdgssconfig indicates to do so, which restarts the server and enables the change. If you cannot restart the server, instruct users to enter the correct realm information as part of the logon string. See Logging on Using LDAP Authentication and Authorization.