Seamless Kerberos connection on Windows
About this task
- Renew the TGT before its renewable time.
- Regenerate the token before expiry.
- Requires MIT Kerberos to be installed and configured.
- Keytab file is already present for the said principal.
- The following environment variables are set:
- TGT_EXPIRY_DAYS: number of days after which this TGT will expire, and can no longer be renewed (specify value in days)
- TGT_RENEWAL_HOURS: number of hours within which this TGT needs to be renewed (specify value in hours)
- KRB5CCNAME: path to the cache file
- KEYTAB_FILE_PATH: path to keytab file for this principal
- From command line run “Where kinit" command should point MIT KerberosFor example: C:\Kerbores\Campaign\bin>where kinitC:\Program Files\MIT\Kerberos\bin\kinit.exe
- Copy the Keytab file to the Campaign System for the principal you want to authenticate.
Procedure
- Make sure the prerequisites are satisfied.
- Then run the following: <campaign_home>/bin/unica_kerbKeyGenRenew.bat <principal>For example: unica_kerbKeyGenRenew.bat impala/quickstart.cloudera@CLOUDERA
-
The script will start running, and do the following:
- Generate the TGT.
- Check every 1 minute for renewal and regeneration of the TGT.
- Using the values in TGT_EXPIRY_DAYS and TGT_RENEWAL_HOURS, keep checking for renewal or expiry.
- Before renewal time - renew the TGT. And before expiry time - regenerate the TGT.
Note:- TGT_RENEWAL HOURS AND TGT_EXPIRY_DAYS values needs to be same as Kerberos Server configuration. Please contact the Kerberos administrator to get the values.
- By default Script sets 24 hours for TGT renewal and 7 days for TGT_EXPIRY.
Possible errors:
1. Usage
2. Principal is incorrect
3. Keytab file is not present for the Principal
4. One or more of the prerequisites is not set
5. Keytab file is not valid