Hi,
We are using Knime on windows desktops, for some database connections we need to use kerberos to connect. Right now we are logging in to kerberos with the user-name and password setup.
We’d like to have Knime to pick up the kerberos ticket which we already get when we sign in to our machines, like it will do if we try to connect with corresponding ODBC clients.
The documentation seem to state that this is “discouraged” and “a security risk”.
Can someone please elaborate a bit more on that?
And what are best practices if we want to do Single-sign-on on windows with kerberos like we get on most other clients in our working environment?
We’d like to have Knime to pick up the kerberos ticket which we already get when we sign in to our machines, like it will do if we try to connect with corresponding ODBC clients.
The documentation seem to state that this is “discouraged” and “a security risk”.
I just did some research, this is not true anymore, we should verify whether this is still the case and probably need to update our documentation.
Technical background: The Kerberos ticket obtained at during Windows login is only accessible through certain Windows APIs. KNIME is built on Java, and older Java versions made use of an outdated Windows API to retrieve the ticket. It was necessary to set a Windows registry key to read the full ticket through that API. Setting this key is deemed a security risk and hence discouraged.
However: KNIME Analytics Platform 4.5 contains Java 11.0.10, which has been enhanced to use a newer Windows API (called SSPI) to access the Kerberos ticket. The description of the Java enhancement seems to indicate that this should “just work” now. We have not tested this yet, so for now we cannot guarantee that this works properly in KNIME!
Thanks for the investigation Björn!
I did look through all the resources and it seems like it should be doable, but I can’t get the magic to work unfortunately.
If someone else is able to get it to work, please
let me know
