Authentication Method - Teradata Database

Database Introduction
Product
Teradata Database
Release Number
15.00
Language
English (United States)
Last Update
2018-09-25
dita:id
B035-1091
lifecycle
previous
Product Category
Teradata® Database

To identify the method by which they will be authenticated, users must choose a security mechanism as part of the logon string. Security mechanisms also contain configurable properties for customizing user authentication and authorization. If a mechanism is not specified in the logon string, the system will use the default mechanism.

Two categories of authentication are available:

  • Teradata Database authentication
  • External authentication

    • Teradata Database Authentication

    Authentication by Teradata Database requires that the user and its privileges be defined in the database. Teradata Database authentication requires use of the TD2 mechanism, which is the default. Unless another mechanism has been set as the default, TD2 need not be specified at logon.

    External Authentication

    External authentication allows Teradata Database users to be authenticated by an agent running on the same network as Teradata Database and its clients.

    External authentication is dependent upon two elements:

  • The authenticating agent indicated by the security mechanism specified in the logon.
  • The logon type, which determines how user credentials are submitted.

    • The following table shows the different types of external authentication logons.

     

    Type

    Description

    Requirements

    Sign-on without resubmitting user credentials

    Single Sign-on

    Users are authenticated in the client domain. Subsequent logons to Teradata Database do not require them to resubmit a username and password.
  • The username employed to log on to the client domain must match the Teradata Database username.
  • The logon must specify a mechanism that corresponds to the authenticating application (Kerberos, NTLM, or SPNEGO) or it must be the default mechanism.
  • The logon must specify the tdpid of the database, and optional account string information.
    		•

    Sign-on with user credentials

    Directory Sign-on

    The user is authenticated by the directory.
  • The user must log on with a directory username.
  • The logon must specify the LDAP mechanism.
    		•

    Sign-on As

    The user logs on to Teradata Database with a username and password recognizable by the client domain.

  • The username must be defined in the database.
  • The user must select a mechanism that corresponds to the authenticating application (Kerberos, LDAP, NTLM, or SPNEGO) or it must be the default mechanism.

    • For complete information on configuring external authentication and the mechanisms that support it, see Security Administration.