3 Replies Latest reply on Feb 28, 2017 1:54 PM by gregor

    I want to connect to my database on Pi Server using Kerberos authentication in java.

    Devashree

      I want to connect to my database on Pi Server using Kerberos authentication in java.Can anyone help integrate this in Java.

        • Re: I want to connect to my database on Pi Server using Kerberos authentication in java.
          gregor

          Hello Devashree,

           

          Is your Java client machine member of the same domain or a domain with a trust relationship to the domain your PI Web API host belongs too?

            • Re: I want to connect to my database on Pi Server using Kerberos authentication in java.
              Devashree

              Our PI Web API host belong to different domain sharing public IP with us.We as a HTTP Client  are connecting to it through that public IP and the given credentials.As its using Kerberos as Authentication type we need to develop a Java HTTP Client Program using Kerberos  to access the data.

              Currently we need KDC(Key Distribution Center) ,Active Directory etc to work with Kerberos but unable to execute. Can you please help us to know if there is any other way to connect to PI server using Kerberos and to get the data without interference of KDC.

                • Re: I want to connect to my database on Pi Server using Kerberos authentication in java.
                  gregor

                  Hello Devashree,

                   

                  I am a little confused because to my best knowledge, a machine can only be member of a single domain. To work across multiple domains, there needs to be trust relationship between domain controllers. My understanding is that this trust relationship doesn't have to be mutual but the KDC instance would have to trust the domain, the PI Web API host is belonging to. This is also under the assumption that other resources like the PI AF Server and PI Data Archive host belong to the same domain as the PI Web API host because these are the final instances you would want to authenticate against with Kerberos Delegation - delegated authentication over multiple hops.

                   

                  Based on your reply, I am also uncertain if your HTTP client is member of one of the domain or if it lives in a different network. What I understand is that there's some complexity and I know that it is not trivial to set up Kerberos in a distributed environment with multiple domains.

                   

                  Kerberos is based on tickets and the KDC plays a central role in that game. As a very basic requirement, the client needs a Ticket Grant Ticket issued by the KDC. Without being able to get tickets from the KDC, Kerberos is not an option. You still can use username and password for the authentication but this is what is referred to as Basic authentication. PI Web API supports Kerberos, Basic and Anonymous authentication.