How to resolve ”The client credential cannot be delegated” error when using Kerberos authentication in TIBCO Data Virtualization?

How to resolve ”The client credential cannot be delegated” error when using Kerberos authentication in TIBCO Data Virtualization?

book

Article ID: KB0073621

calendar_today

Updated On:

Products Versions
TIBCO Data Virtualization All supported versions

Description

The TIBCO Data Virtualization (TDV) Oracle Adapter Guide refers to enabling "Pass-through Login" to use Kerberos tokens in the data source connection properties to connect to the Oracle DB from the TDV Studio. This setting is applicable only when the TDV is configured with Kerberos authentication.
Pass-through Login

It is not applicable whether or not the Oracle DB uses Kerberos authentication. Enabling this parameter might throw  " The client credential cannot be delegated" error if the Service Principal used in the ticket does not have the "OK-AS-DELEGATE" flag.

ERROR 2021-03-22 15:59:07.611 -0400 Utility -
com.compositesw.cdms.webapi.WebapiException: Unable to connect to data source "/shared/CustomerRepo/OracleSource/ORACLE_CACHE" at
    "**.*****.net:****@**UAT***" with the supplied connection information.
    [datasrc-3961050]
Cause: The client credential cannot be delegated
     com.compositesw.cdms.datasource.DataSourceException: The client credential cannot be delegated
 

Issue/Introduction

The TIBCO Data Virtualization Oracle Adapter Guide refers to enabling "Pass-through Login" to use Kerberos tokens. This setting is required ONLY when the TIBCO Data Virtualization (TDV) is configured to use the Kerberos authentication mechanism.

Environment

All environments

Resolution

To resolve the issue, the "Pass-through Login" setting must be disabled as shown here in the data source's connection properties.

The Pass-through Login setting is disabled.

Additional Information

https://docs.tibco.com/pub/tdv/8.4.0/doc/pdf/TIB_tdv_8.4.0_AdapterGuide_Oracle.pdf#page=24
Powered by Wolken Software