Converting a Domain From Kerberos Single Realm Authentication to Kerberos Cross Realm Authentication
Converting a Domain From Kerberos Single Realm Authentication to Kerberos Cross Realm Authentication
You can convert an Informatica domain that uses a single Kerberos realm to authenticate users to use Kerberos cross realm authentication.
You must upgrade the domain to version 10.2 HotFix 2 before you convert the domain to use Kerberos cross realm authentication.
You must also import user and group accounts from the Active Directory global catalog into an LDAP security domain. When you import accounts, existing accounts in the LDAP security domain, which use the samAccount name attribute, are deleted and are replaced with new accounts that use the user principal name attribute.
Users log in to Informatica clients with the fully qualified user principal name, which is in the following format:
<user name>@<KERBEROS REALM NAME>
After you import the user and group accounts, assign privileges, roles, and permissions to the accounts.
Upgrade the domain to version 10.2 HotFix 2.
Add the required properties for each Kerberos realm to the Kerberos configuration file.
Set the properties for each realm in the
krb5.conf
configuration file on each node in the domain. Restart the domain after you update the file on all of the nodes in the domain.
Run the infasetup UpdateGatewayNode and infasetup UpdateWorkerNode commands on the domain nodes.
Specify the name of each Kerberos realm that the domain uses to authenticate users as the values for the -srn and -urn options, separated by a comma.
For more information about running the infasetup commands, see the "infasetup Command Reference" chapter in the
Informatica 10.2 HotFix 2 Command Reference
.
Run the UpdateKerberosConfig command on a gateway node within the domain.
Specify the name of each Kerberos realm that the domain uses to authenticate users as the values for the -srn and -urn options, separated by a comma.
Run the UpdateKerberosAdminUser command on a gateway node within the domain.
Specify the fully qualified user principal name for the domain administrator user account.
Import user and group accounts into LDAP security domains.
Connect to the Active Directory global catalog. When you connect to the global catalog, you import users from the Active Directory server used by each Kerberos realm.