Kerberos Delegation
Kerberos delegation enables a Kerberos service to impersonate a Kerberos client user and get a service ticket for another service on behalf of the client user.
The services in an Informatica domain need to connect to other services to complete an operation. You can connect to other services through delegated authentication. In delegated authentication, when a user is authenticated by a service, the service uses those credentials to connect to another service. For example, when a pmcmd user accesses Power Center Integration Service, the service acts as the pmcmd user to authenticate with Power Center Repository Service.
Types of Kerberos Delegation
When you use delegated authentication, you can choose one of the following types of delegation:
- Full delegation
- Full delegation is the initial implementation of Kerberos delegation. In this delegation method, a client forwards its Ticket Granting Ticket (TGT) to a service after Kerberos authentication. The service uses the TGT to get service tickets to access any other service in the network. This type of delegation is not considered secure because an administrator cannot control the services that the server can access using the client identity. Full delegation is also known as unconstrained delegation.
- Resource-based constrained delegation
With resource-based constrained delegation, administrators can restrict the usage of the client identity by the services. In this delegation method, the client does not forward TGT to the server. In this method, the services specify who they trust and who can delegate authentication to them.
Constrained delegation uses Kerberos protocol extensions called Service for User (S4U) that allow a service to obtain a Kerberos service ticket on behalf of a user.
Note: You cannot use both constrained delegation and full delegation in a single domain. You can configure the domain to use either full delegation or constrained delegation.
Service for User (S4U) Extension
Service for User (S4U) extensions allow a service to obtain a Kerberos service ticket on behalf of a user. Following are the two types of S4U extensions:
- •Service for user to self (S4U2Self). This extension allows a service to get a service ticket to itself on behalf of a client user.
- •Service for user to proxy (S4U2Proxy). This extension allows a service to obtain a service ticket to another service on behalf of a client user. To perform S4U2proxy, a service needs a service ticket to itself. The service ticket can be presented by the client user or obtained through S4U2Self extension.
For more information on the S4U extensions, see the Microsoft documentation.
Enable Resource-based Constrained Delegation with S4U2Self
Make sure that the forwardable flag is set to true in libdefaults section of krb5.conf file.
You can configure Resource-based Constrained Delegation only through powershell commands. Make sure powershell is started by a user with required privileges to change the properties of KDC accounts, preferably a KDC administrator.
To enable Resource-based Constrained Delegation with S4U2Self, perform the following steps every Informatica keytab account on the KDC server:
1. Right-click the user account and select Properties.
The Properties dialog box appears.
2. On the Delegation tab, select Do not trust this computer for delegation.
3. Click Apply.
4. Run the following command to set the PrincipalsAllowedToDelegateToAccount attribute:
$IntermediateService = Get-ADUser -Identity <Intermediate server account's samAccountName> -Properties *
Set-ADUser -Identity <Targer server account's samAccountName> -PrincipalsAllowedToDelegateToAccount $IntermediateService1, $IntermediateService2, $IntermediateService3
Note: You can use comma separated values to add multiple accounts in the PrincipalsAllowedToDelegateToAccount attribute.
5. If you want to unset the PrincipalsAllowedToDelegateToAccount attribute, run the following command:
Set-ADUser -Identity <Targer server account's samAccountName> PrincipalsAllowedToDelegateToAccount $null
6. To view existing principals in PrincipalsAllowedToDelegateToAccount list, run following commands:
$FormatEnumerationLimit=-1
Get-ADUser -Identity <sam account name> -properties
PrincipalsAllowedToDelegateToAccount
Note: By default, powershell command output shows four values in the service principal list in the output. Set this parameter to -1 to show the complete list of principals.
Enable Full Delegation for the Kerberos Principal User Accounts in Active Directory
Create the keytab files using the ktpass command.
To use full delegation, you must enable delegation for all of the accounts you created, except for the LDAP bind user account that you use to access and search Active Directory during LDAP synchronization.
To enable full delegation, perform the following steps for each user account:
1. Right-click the user account and select Properties.
The Properties dialog box appears.
2. On the Delegation tab, select Trust this user for delegation to any service (Kerberos only).
3. Click Apply.
Full delegation is enabled.
Switch from Full Delegation to Constrained Delegation
If you are using Full Delegation and want to use Constrained Delegation, perform the following steps.
1. Shut down the domain.
3. Start up the domain.