Table of Contents


  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication Setup
  6. Domain Security
  7. Security Management in Informatica Administrator
  8. Users and Groups
  9. Privileges and Roles
  10. Permissions
  11. Audit Reports
  12. Command Line Privileges and Permissions
  13. Custom Roles

Step 6. Create the Service Principal Names and Keytab Files

Step 6. Create the Service Principal Names and Keytab Files

After you generate the list of SPN and keytab file names in the format required by Informatica, send a request to the Kerberos administrator to add the SPNs to the Kerberos principal database and create the keytab files.
Use the following guidelines when you create the SPN and keytab files:
The user principal name (UPN) must be the same as the SPN.
When you create a user account for the service principal, you must set the UPN with the same name as the SPN. The application services in the Informatica domain can act as a service or a client depending on the operation. You must configure the service principal to be identifiable by the same UPN and SPN.
A user account must be associated with only one SPN. Do not set multiple SPNs for one user account.
Enable delegation in Microsoft Active Directory.
You must enable delegation for all user accounts with service principals used in the Informatica domain. In the Microsoft Active Directory Service, set the
Trust this user for delegation to any service (Kerberos only)
option for each user account that you set an SPN.
Delegated authentication happens when a user is authenticated with one service and that service uses the credentials of the authenticated user to connect to another service. Because services in the Informatica domain need to connect to other services to complete an operation, the Informatica domain requires the delegation option to be enabled in Microsoft Active Directory.
For example, when a PowerCenter client connects to the PowerCenter Repository Service, the client user account is authenticated with the PowerCenter Repository Service principal. When the PowerCenter Repository Service connects to the PowerCenter Integration Service, the PowerCenter Repository Service principal can use the client user credential to authenticate with the PowerCenter Integration Service. There is no need for the client user account to also authenticate with the PowerCenter Integration Service.
Use the ktpass utility to create the service principal keytab files.
Microsoft Active Directory supplies the ktpass utility to create keytab files. Informatica supports Kerberos authentication only on Microsoft Active Directory and has certified only keytab files that are created with ktpass.
The keytab files for a node must be available on the machine that hosts the node. By default, the keytab files are stored in the following directory:
When you receive the keytab files from the Kerberos administrator, copy the keytab files to the directory specified for the keytab files used in the Informatica domain.

Updated April 29, 2019