Table of Contents

Search

  1. Preface
  2. Introduction to Big Data Management Administration
  3. Authentication
  4. Running Mappings on a Cluster with Kerberos Authentication
  5. Authorization
  6. Cluster Configuration
  7. Cloud Provisioning Configuration
  8. Data Integration Service Processing
  9. Connections
  10. Multiple Blaze Instances on a Cluster
  11. Monitoring REST API

Big Data Management Administrator Guide

Big Data Management Administrator Guide

Step 4. Create the Principal Name and Keytab Files in the Active Directory Server

Step 4. Create the Principal Name and Keytab Files in the Active Directory Server

Create an SPN in the KDC database for Microsoft Active Directory service that matches the user name of the user that runs the Data Integration Service. Create a keytab file for the SPN on the machine on which the KDC server runs. Then, copy the keytab file to the machine on which the Data Integration Service runs.
You do not need to use the Informatica Kerberos SPN Format Generator to generate a list of SPNs and keytab file names. You can create your own SPN and keytab file name.
To create an SPN and Keytab file in the Active Directory server, complete the following steps:
Create a user in the Microsoft Active Directory Service.
Login to the machine on which the Microsoft Active Directory Service runs and create a user with the same name as the user you created in Step 3. Create Matching Operating System Profile Names.
Create an SPN associated with the user.
Use the following guidelines when you create the SPN and keytab files:
  • The user principal name (UPN) must be the same as the SPN.
  • Enable delegation in Microsoft Active Directory.
  • Use the ktpass utility to create an SPN associated with the user and generate the keytab file.
    For example, enter the following command:
    ktpass -out infa_hadoop.keytab -mapuser joe -pass tempBG@2008 -princ joe/domain12345@INFA-AD-REALM -crypto all
    The
    -out
    parameter specifies the name and path of the keytab file. The
    -mapuser
    parameter is the user to which the SPN is associated. The
    -pass
    parameter is the password for the SPN in the generated keytab. The
    -princ
    parameter is the SPN.
  • Use the ktutil utility to generate the keytab file for an Azure HDInsight cluster that uses Enterprise Security Package and ADLS storage.
    For example, enter the following command:
    sshuser@hn0-hivesc:/tmp/keytabs$ ktutil ktutil: addent -password -p alice -k 1 -e RC4-HMAC Password for alice@SECUREHADOOPRC.ONMICROSOFT.COM; ktutil: wkt /tmp/keytabs/alice.keytab ktutil: q

0 COMMENTS

We’d like to hear from you!