16.10 - TDNEGO Compatibility Requirements - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

To be used, TDNEGO is required on both the client and Teradata Database servers. For CLI, ODBC, and JDBC clients, the database servers must run Teradata Database 15.10 or higher and the clients must run TTU 15.10 or higher. For Windows .NET clients, the servers must run Teradata Database 15.10 or higher and the clients must run TTU 16.0 or higher.

SPNEGO is configured on Teradata Database 16.0 as a TDNEGO negotiated mechanism, but it is not configured on Teradata Database 15.10. Windows .NET 16.0 or higher clients can use TD2 or LDAP as TDNEGO negotiated mechanisms to access the database. If Windows .NET 16.0 or higher clients want to use SPNEGO as a TDNEGO negotiated mechanism to access Teradata Database 15.10, it must be configured on the database server. To configure this, see Changing the Configuration on Teradata Database Nodes.

A single non-negotiating default mechanism (DefaultMechanism) and a single negotiating default mechanism (DefaultNegotiatingMechanism) can be defined at the server (TDGSS).

There are negotiating mechanisms and negotiated mechanisms. The former are mechanisms that negotiate to pick the best mechanism to use (TDNEGO). The latter are the mechanisms that are available to be offered for negotiation (TD2, ldap, and KRB5). Negotiating mechanisms have the NegotiationSuppported mechanism property set to yes.

The default settings are as follows:

  • TDGSS - TD2 is the non-negotiating default mechanism and no negotiating default mechanism is defined at the server

The user has the option of doing any of the following:

  • Change the non-negotiating default mechanism for TDGSS
  • Define a negotiating default mechanism for TDGSS

The client always initiates the creation of a security context and there are three ways that a mechanism can be specified:

  • Client explicitly requests the mechanism (at the user's request or by software design)
  • Client uses the default mechanism set at the client (if any)
  • Client uses the default mechanism set at the server

If both client and server support negotiation, but no common negotiating mechanism exists between them, the existing DefaultMechanism property is used to select a default mechanism.

A best practice is to modify the configuration on the servers and not modify the configuration on the clients. If configuration is required on the client, an optional Teradata GSS Administrative Package may be installed on the client and configuration may be performed. For more information, see Teradata GSS Administrative Package.