Kerberos network-based authentication is a single sign on feature which allows Kerberos clients authenticated with Kerberos system, to be able to connect to any application that supports Kerberos authentication. With one centralized password stored, need not specify a password to connect to an application that supports Kerberos.
Kerberos version 5, the version supported by Adaptive Server, also provides a feature called credential delegation or ticket forwarding, which allows a Kerberos client to delegate the credential when connecting to a server, allowing the server to initiate Kerberos authentication for further connections to other servers on behalf of Kerberos client.
The credential delegation feature is currently only certified with MIT Kerberos GSSAPI libraries version 4.x and later. Clients must obtain a delegatable credential from the Kerberos system (usingthe kinit -f option on UNIX systems) before connecting to Adaptive Server.
A Kerberos client connected to Adaptive server can request a Remote Procedure Call (RPC) to Adaptive Server, and for general distributed query processing requests to a remote Adapter Server through CIS by using the Kerberos credential delegation feature. Kerberos authentication is not supported for site handler based remote server connection.
To use Kerberos unified login, a System Security Office can use the following command to enable the Kerberos security mechanism for CIS to a remote Adaptive Server.
sp_serveroption [server, optname, optvalue]
For example, the following command executed on local server S1 enables Kerberos authentication for connections to remote server S2 when the current logged in user is authenticated using Kerberos mechanism.
sp_serveroption s2, “security mechanism”, csfkrb5
