16.10 - Kerberos Authentication with Database Authorization - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K
  • Verify that the KRB5 mechanism is enabled on all clients that use Kerberos authentication and on all database systems to which they connect.
  • The client from which the user logs on must be running Windows, Linux, or supported TTU UNIX clients (except IBM z/OS clients) and the system must be setup as shown in Working with Kerberos Authentication.
  • Set the Kerberos authentication mechanism to be used (KRB5 or SPNEGO) as the client default, or the user must specify it at logon.
  • The database and Kerberos clients must be set up as shown in Working with Kerberos Authentication.
  • DBS Control and Gateway Control must be set to allow external authentication. See About External Authentication Controls.
  • All users authenticated by Kerberos must have LOGON WITH NULL PASSWORD privileges defined in each database to which they can log on. See Working with User Privileges in the Database.
  • The domain username used at initial logon to the network must match a Teradata Database username. For acceptable logon username forms, see Logging on Using Single Sign-on.
  • For Kerberos authenticated users logging on through Unity, see Teradata Unity Installation, Configuration, and Upgrade Guide for Customers (B035-2523) and Teradata Unity User Guide (B035-2520).