Kerberos Authentication failing to DB Connector Node for Hana Connection

I’m having trouble getting Kerberos authentication to pass through to the ‘DB Connector’ Node for Hana Connection.

I have already authenticated in preference → Kerberos → using krb5.conf

I’m able to make a connection to the DB using the Username & Password authentication. If I manually input my credentials within the node I’m able to connect, but not with Kerberos

Working scenario without Kerberos :
jdbc:sap://:

Not Working scenario when selecting Kerberos :
jdbc:sap://:&authenticationMethod=Kerberos&kerberosspn=HTTP/sspnname@domain

Could any one help please ?


2

I saw this blog, but no luck.
Passing Kerberos Authentication to DB Connector Node - KNIME Analytics Platform - KNIME Community Forum

Can support help here please ?
I am using the version 4.6.0 and having this issue. Previous version is properly working with Kerberos.

Hello @Param,
can you please send the Kerberos Log file in “Debug” mode? You can change the setting here:


Can you also please switch on the JDBC Logger? You can do that in the “Advanced” tab in the DB Connector node:

Best regards
Jörg

Hi @JoergWas , Thanks for your response.

I got this location and attached is the log file. Please review and advise.

/.metadata/knime/knime.log.
knime.log (3.6 KB)

Hi @Param, we are currently setting up a test environment to replicate the issue. I will keep you updated here!

Hello @Param ,

the error indicates a problem with the JDBC driver. Can you please make sure that you have registered the SAP HANA JDBC driver (ngdbc.jar). It should look something like this:

Once the driver is registered you do not need to specify any additional Kerberos parameters in the Database URL e.g. jdbc:sap://<db_host_name>:39015 simply make sure to select Kerberos as authentication method and you are good to go.

The post you are linking to is using a different driver which requires other settings for Kerberos authentication.

Bye
Tobias

@tobias.koetter

We have already tried as you mentioned above. that is without kerberos parameter in the url.

We have pointed to correct jdbc driver, (latest SAP Driver). Also, we are able to login with user name and password option, only kerberos is failing. Screenshot for reference.


thanks , awaiting your response…

Hi @Param ,
I was finally able to reproduce your problem. KNIME Analytics Platform comes with Java 17 which has deprecated several weak encryption types. This is the reason why no no service ticket can be acquired resulting in the problem you reported.

To solve the problem you can either change your infrastructure to adopt stronger ciphers or add the following line to libdefaults section of the krb5.conf file that is used by your KNIME Analytics Platform:

allow_weak_crypto = true

which will enable the weak encryption types. An example krb5.conf file with the line could look like this:

[libdefaults]
    allow_weak_crypto = true
    forwardable = true
    default_realm = ADDEMO.LOCAL
    default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[realms]
 ADDEMO.LOCAL = {
  kdc = testadsrv.addemo.local
 }

Bye
Tobias

5 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.