Skip to main content
Previous sectionNext section

Kerberos Authentication

Caché provides several different options with Kerberos authentication. The available options depend upon which Access Mode you are using. Client Server and CSP provide one set of options. The Local access mode provides a different set.

The following graphic shows the Kerberos authentication options for Client Server and CSP services. Note that Kerberos authentication must be enabled system wide. You can do this on the Authentication/CSP Session Options page.

generated description: kerberosoptions1 20142

Notice that there are three different Kerberos options for Client Server and CSP services:

  • Kerberos: Authentication only. Also known as Kerberos clear. After authentication, messages are not encrypted and the authenticity of their origin is not verified.

  • Kerberos with Packet Integrity: In addition to authentication, it verifies the authenticity of the origin of subsequent messages. It also verifies that messages have not been altered in transit.

  • Kerberos with Encryption: Provides authentication, verifies authenticity and integrity of subsequent messages and encrypts all messages between the user and Caché.

The following graphic shows the Kerberos authentication options for Local services:

generated description: kerberosoptions2 20131

Notice that there are two different Kerberos options for Local services:

  • Kerberos: User is prompted for user name and password.

  • Kerberos with Credentials Cache: Kerberos credentials are retrieved from a credentials cache.

When using a Local service both Caché and the user share a process, so there is no need to encrypt or verify the authenticity of any messages.

Note:

For more information on Caché support for Kerberos including configuration information, read Configuring for Kerberos Authentication in the Authentication section of the Caché Security Administration Guide.