Table of Contents

Search

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication Setup
  6. Domain Security
  7. Security Management in Informatica Administrator
  8. Users and Groups
  9. Privileges and Roles
  10. Permissions
  11. Audit Reports
  12. Command Line Privileges and Permissions
  13. Custom Roles

Troubleshooting the Service Principal Names and Keytab Files

Troubleshooting the Service Principal Names and Keytab Files

You can use Kerberos utilities to verify that the service principal and keytab file names created by the Kerberos administrator match the service principal and keytab file names that you requested. You can also use the utilities to determine the status of the Kerberos key distribution center (KDC).
You can use Kerberos utilities such as
setspn
,
kinit
and
klist
to view and verify the SPNs and keytab files. To use the utilities, ensure that the KRB5_CONFIG environment variable contains the path and file name of the Kerberos configuration file.
The following examples show ways to use the Kerberos utilities to verify that SPNs and keytab files are valid. The examples might be different than the way that the Kerberos administrator uses the utilities to create the SPNs and keytab files required for the Informatica domain. For more information about running the Kerberos utilities, see the Kerberos documentation.
Use the following utilities to verify the SPNs and keytab files:
klist
You can use
klist
to list the Kerberos principals and keys in a keytab file. To list the keys in the keytab file and the time stamp for the keytab entry, run the following command:
klist -k -t <keytab_file>
The following output example shows the principals in a keytab file:
Keytab name: FILE:int_srvc01.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM 3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM 3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM 3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM 3 12/31/69 19:00:00 int_srvc01/node01_vMPE/Domn96_vMPE@REALM
kinit
You can use
kinit
to request a ticket-granting ticket for a user account to verify that the KDC is running and can grant tickets. To request a ticket-granting ticket for a user account, run the following command:
kinit <user_account>
You can also use
kinit
to request a ticket-granting ticket and verify that the keytab file can be used to establish a Kerberos connection. To request a ticket-granting ticket for an SPN, run the following command:
kinit -V -k -t <keytab_file> <SPN>
The following output example shows the ticket-granting ticket created in the default cache for a specified keytab file and SPN:
Using default cache: /tmp/krb5cc_10000073 Using principal: int_srvc01/node01_vMPE/Domn96_vMPE@REALM Using keytab: int_srvc01.keytab Authenticated to Kerberos v5
setspn
You can use
setspn
to view, modify, or delete the SPN of an Active Directory service account. On the machine that hosts the Active Directory service, open a command line window and run the command.
To view the SPNs that are associated with a user account, run the following command:
setspn -L <user_account>
The following output example shows the SPN associated with the user account
is96svc
:
Registered ServicePrincipalNames for CN=is96svc,OU=AllSvcAccts,OU=People, DC=ds,DC=intrac0rp,DC=zec0rp: int_srvc01/node02_vMPE/Domn96_vMPE
To view the user accounts associated with an SPN, run the following command:
setspn -Q <SPN>
The following output example shows the user account associated with the SPN
int_srvc01/node02_vMPE/Domn96_vMPE
:
Checking domain DC=ds,DC=intrac0rp,DC=zec0rp CN=is96svc,OU=AllSvcAccts,OU=People,DC=ds,DC=intrac0rp,DC=zec0rp int_srvc01/node02_vMPE/Domn96_vMPE Existing SPN found!
To search for duplicate SPNs, run the following command:
setspn -X
The following output example shows multiple user accounts associated with one SPN:
Checking domain DC=ds,DC=intrac0rp,DC=zec0rp Processing entry 1125 HOST/mtb01.REALM is registered on these accounts: CN=Team1svc,OU=AllSvcAccts,OU=People,DC=ds,DC=intrac0rp,DC=zec0rp CN=MTB1svc,OU=IIS,OU=WPC960K3,OU=WINServers,DC=ds,DC=intrac0rp,DC=zec0rp
Searching for duplicate SPNs can take a long time and a large amount of memory.
kdestroy
You can use
kdestroy
to delete the active Kerberos authorization tickets and the user credentials cache that contains them. If you run
kdestroy
without parameters, you delete the default credentials cache.


Updated April 29, 2019