16.10 - Kerberos External Authentication with Directory Authorization (Single Sign-on) - Teradata Database

Teradata Database Security Administration

Teradata Database
Release Number
Release Date
June 2017
Content Type
Publication ID
English (United States)
  1. A directory-based user logs on with a domain username, and is authenticated by Kerberos (KRB5 or SPNEGO mechanism). The user can then access any applications and data that support Kerberos authentication, including Teradata Database.
  2. The user connects to Teradata Database without resubmitting logon credentials, although the connection to the database must specify the database name (tdpid) and the security mechanism that corresponds to the authenticating agent if it is not set as the default. See Using Single Sign-on with Directory Authorization.
  3. The directory authorizes database privileges to the user based on:
Users that use this logon method must be defined to Kerberos, and must have an entry in the directory that TDGSS can find using an <Identity Map> or <Identity Search>.