Kerberos Authentication failing to DB Connector Node for Hana Connection

Param · July 26, 2022, 1:54pm

I’m having trouble getting Kerberos authentication to pass through to the ‘DB Connector’ Node for Hana Connection.

I have already authenticated in preference → Kerberos → using krb5.conf

I’m able to make a connection to the DB using the Username & Password authentication. If I manually input my credentials within the node I’m able to connect, but not with Kerberos

Working scenario without Kerberos :
jdbc:sap://:

Not Working scenario when selecting Kerberos :
jdbc:sap://:&authenticationMethod=Kerberos&kerberosspn=HTTP/sspnname@domain

Could any one help please ?

I saw this blog, but no luck.
Passing Kerberos Authentication to DB Connector Node - KNIME Analytics Platform - KNIME Community Forum

Param · July 29, 2022, 9:11am

Can support help here please ?
I am using the version 4.6.0 and having this issue. Previous version is properly working with Kerberos.

JoergWas · August 1, 2022, 2:27pm

Hello @Param,
can you please send the Kerberos Log file in “Debug” mode? You can change the setting here:

Can you also please switch on the JDBC Logger? You can do that in the “Advanced” tab in the DB Connector node:

Best regards
Jörg

Param · August 1, 2022, 3:19pm

Hi @JoergWas , Thanks for your response.

I got this location and attached is the log file. Please review and advise.

/.metadata/knime/knime.log.
knime.log (3.6 KB)

JoergWas · August 2, 2022, 9:18am

Hi @Param, we are currently setting up a test environment to replicate the issue. I will keep you updated here!

tobias.koetter · August 2, 2022, 3:27pm

Hello @Param ,

the error indicates a problem with the JDBC driver. Can you please make sure that you have registered the SAP HANA JDBC driver (ngdbc.jar). It should look something like this:

Once the driver is registered you do not need to specify any additional Kerberos parameters in the Database URL e.g. jdbc:sap://<db_host_name>:39015 simply make sure to select Kerberos as authentication method and you are good to go.

The post you are linking to is using a different driver which requires other settings for Kerberos authentication.

Bye
Tobias

Param · August 2, 2022, 4:18pm

@tobias.koetter

We have already tried as you mentioned above. that is without kerberos parameter in the url.

We have pointed to correct jdbc driver, (latest SAP Driver). Also, we are able to login with user name and password option, only kerberos is failing. Screenshot for reference.

Param · August 3, 2022, 5:43am

thanks , awaiting your response…

tobias.koetter · August 3, 2022, 1:54pm

Hi @Param ,
I was finally able to reproduce your problem. KNIME Analytics Platform comes with Java 17 which has deprecated several weak encryption types. This is the reason why no no service ticket can be acquired resulting in the problem you reported.

To solve the problem you can either change your infrastructure to adopt stronger ciphers or add the following line to libdefaults section of the krb5.conf file that is used by your KNIME Analytics Platform:

allow_weak_crypto = true

which will enable the weak encryption types. An example krb5.conf file with the line could look like this:

[libdefaults]
    allow_weak_crypto = true
    forwardable = true
    default_realm = ADDEMO.LOCAL
    default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[realms]
 ADDEMO.LOCAL = {
  kdc = testadsrv.addemo.local
 }

Bye
Tobias

system · August 11, 2022, 11:47am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.