16.20 - Kerberos Authentication with Database Authorization - Teradata Database - Teradata Vantage NewSQL Engine

Teradata Vantage™ NewSQL Engine Security Administration

Teradata Database
Teradata Vantage NewSQL Engine
Release Number
Release Date
March 2019
Content Type
Publication ID
English (United States)
  • Verify that the KRB5 mechanism is enabled on all clients that use Kerberos authentication and on all database systems to which they connect.
  • The client from which the user logs on must be running Windows, Linux, or supported TTU UNIX clients (except IBM z/OS clients) and the system must be setup as shown in Working with Kerberos Authentication.
  • Set the Kerberos authentication mechanism to be used (KRB5 or SPNEGO) as the client default, or the user must specify it at logon.
  • The database and Kerberos clients must be set up as shown in Working with Kerberos Authentication.
  • DBS Control and Gateway Control must be set to allow external authentication. See About External Authentication Controls.
  • All users authenticated by Kerberos must have LOGON WITH NULL PASSWORD privileges defined in each database to which they can log on. See Working with User Privileges in the Database.
  • The domain username used at initial logon to the network must match a Teradata Database username. For acceptable logon username forms, see Logging on Using Single Sign-on with Kerberos.
  • For Kerberos authenticated users logging on through Unity, see Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523 and Teradata® Unity™ User Guide, B035-2520.