Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

D toc

This section describes how to enable relational connections to leverage your Hadoop Single Sign-On (SSO) infrastructure.When this feature is enabled and properly configured, users can create relational (JDBC) connections that use SSO that you have already configured. 

Connections that were created before this feature is enabled continue to operate as expected without modification.


  • For this release, this feature applies to SQL Server connections only.
  • Cross-realm is not supported. As a result, the SQL Server instance, service principal, and 
    D s item
     must be in the same Kerberos realm.



D s config

webapp.connectivity.enableSsoKerberosDelegateSet this flag to true to enable Kerberos-based SSO connections to be created for supported connection types.


Configure JAAS file and path

D s config


Path on the

D s item
to the location of the JAAS configuration file required by the DataDirect driver.


NOTE: The default location is listed below. You may wish to move this file to a location outside of the

D s item
to ensure that the file is not overwritten during upgrades.

More information on this file is provided below.

JAAS file

For connections that support Kerberos-delegated authentication, the underlying driver supports a JAAS file in which you can provide environment-specific configuration to the driver. As needed, you can modify this file. 

Connection TypeDefault path to JAAS file
SQL Server%(topOfTree)s/services/data-service/build/conf/kerberosdelegate.config 

Example JAAS file for SQL Server

Below is an example file, where you must apply the Kerberos global keytab and principal values that are to be used to authenticate to use the Kerberos-delegated connections of this type:

Code Block
trifacta_jaas_config { required
JDBC_DRIVER_01 { required debug=false


  • keytab = the absolute path on the 
    D s item
     where the Kerberos global keytab is located.
  • principal = Set to the service principal name of the user's service account in LDAP.

Specify Kerberos configuration file

On the 

D s item
, locate the following file:

Code Block

If it doesn't exist, create it with the following content, some of which you must specify:

Code Block
    default_realm = <my_default_realm>
    forwardable = true # Important that this is set!
    <my_default_realm> = {
        kdc = <kdc_domain>
    <my_domain> = <my_default_realm>

default_realmSet this value to your default Kerberos realm.
forwardableThis value must be set to true.

For each realm that you create, you must create an entry in [realms].

For the kdc entry, apply the KDC domain that the JDBC connection should use.


For each domain to which the Kerberos delegation applies, you must create an entry in [domain_realm].

Entries should look like the following:


Modify the location of the Kerberos configuration file

If you need to move the location of the file from the default one, please complete the following:


  1. If you haven't already done so, copy the file from its current location to its preferred location. 
  2. D s config
  3. Specify the path to the new location in the following parameter:

    Code Block
    "webapp.connectivity.krb5Path": "/etc/krb5.conf";

  4. Save your changes.

Local DNS configuration


D s item
 must be aware of how to map the KDC to an actual IP address. Edit the following file:

Code Block

Add an entry in the following format:

Code Block
<IP_address> <FQDN_to_KDC/AD-Server> <alias>
ParameterDescriptionIP_addressIP address of the host of the KDC/AD authentication server. IPv4 format only.
Fully qualified domain name of the KDC/AD hostaliasAlias to the host.



Example Setup

The following example uses the default Kerberos realm to set an SSO connection to a SQL Server instance. This example is intended to demonstrate one way in which you can set up your SSO connections.


  1. Create the 

    D s item
    itemservice principal

    1. Form: HTTP/serviceprincipal@REAM 
    2. Enable this flag: ok_to_auth_as_delegate 
    3. Example:

      Code Block
      kadmin -q "addprinc -randkey +ok_to_auth_as_delegate HTTP/serviceprincipal"
      kadmin -q "addprinc -randkey +ok_to_auth_as_delegate HTTP/serviceprincipal@REALM"

    4. For more information on delegation flags, see
  2. Generate a keytab for the 

    D s item
    itemservice principal

  3. Register the 

    D s item
    itemservice principal
     for Microsoft Sql Server instance:

    1. Enable this flag: ok_as_delegated 
    2. Example:

      Code Block
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>:<port>"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>:<port>@REALM"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>@REALM"

    3. For more information on setting this flag, see
  4. Create a linked SQL Server account: 

    1. Account must have the same name as the end-user principal. 

    2. Account needs connect permissions at least.


NOTE: If you are using LDAP/AD SSO, you can register all of the above SPNs using AD mechanisms. You do not have to use the delegation flags. Delegation can be managed through the UI for the service account.


When you create a new connection of a supported type, you can select the Kerberos Delegate credentials type. When selected, no username or credentials are applied as part of the connection object. Instead, authentication is determined via Kerberos authentication with the cluster.


When sharing SSO connections, the credentials for the connection cannot be shared for security reasons. The Kerberos principal for the user with whom the connection is shared is applied. That user must have the appropriate permissions to access any required data through the connection. See Overview of Sharing.