After the external agent authenticates the user, it passes the username to the directory for authorization of user privileges, based on mappings to the matching directory username.
Observe the following when using Single Sign-on logons with directory authorization:
- If the logon is from a Windows .Net enabled client, users cannot use the default KRB5 authentication mechanism, and instead must specify the SPNEGO mechanism.
- The authentication mechanism must be configured as follows:
- The AuthorizationSupported property for the authenticating mechanism must be set to yes. The KRB5 and SPNEGO mechanisms are set to no by default and must be reconfigured to yes to support directory authorization.
- All supporting mechanisms contain required LDAP properties and values, which you must configure. See Option 3: Non-LDAP External Authentication with Directory Authorization.
- The logon username must match a username in the authorizing directory and the matching directory user must be mapped to one or more Teradata Database objects. See Provisioning Directory Users with Teradata Schema Extensions and Using Native Directory Schema to Provision Directory Users.