Security Guide > Kerberos Authentication > Kerberos Cross Realm Authentication
  

Kerberos Cross Realm Authentication

You can configure an Informatica domain to use Kerberos cross realm authentication. Kerberos cross realm authentication enables Informatica clients that belong to one Kerberos realm to authenticate with nodes and application services that belong to another Kerberos realm.
When you configure a domain to use Kerberos cross-realm authentication, you add properties for each Kerberos realm to the Kerberos configuration file. You also include the name of each realm when you run infasetup commands to enable Kerberos authentication in the domain and on domain nodes.
The Active Directory servers that the domain uses for Kerberos cross realm authentication must belong to the same Active Directory forest. An Active Directory forest is a group of Active Directory domains that share a common global catalog, directory schema, logical structure, and directory configuration. You connect to the global catalog to import users from the Active Directory servers into LDAP security domains.
To use Kerberos cross domain authentication, two-way trust must be enabled between the Active Directory servers in the forest.

Converting a Domain From Kerberos Single Realm Authentication to Kerberos Cross Realm Authentication

You can convert an Informatica domain that uses a single Kerberos realm to authenticate users to use Kerberos cross realm authentication.
You must upgrade the domain to version 10.2 HotFix 2 before you convert the domain to use Kerberos cross realm authentication.
You must also import user and group accounts from the Active Directory global catalog into an LDAP security domain. When you import accounts, existing accounts in the LDAP security domain, which use the samAccount name attribute, are deleted and are replaced with new accounts that use the user principal name attribute.
Users log in to Informatica clients with the fully qualified user principal name, which is in the following format:
<user name>@<KERBEROS REALM NAME>
After you import the user and group accounts, assign privileges, roles, and permissions to the accounts.
    1. Upgrade the domain to version 10.2 HotFix 2.
    2. Add the required properties for each Kerberos realm to the Kerberos configuration file.
    Set the properties for each realm in the krb5.conf configuration file on each node in the domain. Restart the domain after you update the file on all of the nodes in the domain.
    For more information about configuring the krb5.conf configuration file for Kerberos cross realm authentication, see Configure the Kerberos Configuration File.
    3. Copy the updated krb5.conf file to the following directory on each computer that hosts an Informatica client:
    <Informatica installation directory>\clients\shared\security
    4. Run the infasetup UpdateGatewayNode and infasetup UpdateWorkerNode commands on the domain nodes.
    Specify the name of each Kerberos realm that the domain uses to authenticate users as the values for the -srn and -urn options, separated by a comma.
    For more information about running the infasetup commands, see the "infasetup Command Reference" chapter in the Informatica 10.2 HotFix 2 Command Reference.
    5. Run the UpdateKerberosConfig command on a gateway node within the domain.
    Specify the name of each Kerberos realm that the domain uses to authenticate users as the values for the -srn and -urn options, separated by a comma.
    6. Run the UpdateKerberosAdminUser command on a gateway node within the domain.
    Specify the fully qualified user principal name for the domain administrator user account.
    7. Import user and group accounts into LDAP security domains.
    Connect to the Active Directory global catalog. When you connect to the global catalog, you import users from the Active Directory server used by each Kerberos realm.
    For more information about connecting to the global catalog and importing accounts, see Import User Accounts from Active Directory into LDAP Security Domains.
    8. Assign privileges, roles, and permissions to the user and group accounts you imported into an LDAP security domain.
    For more information about assigning privileges and roles, see Privileges and Roles.
    For more information about assigning permissions, see Permissions.