Main Content

Use Kerberos Authentication and Kerberos Delegation

To authenticate user access to a MATLAB® Production Server™ instance, you need to configure Kerberos. To delegate a client’s credential to a next hop web server or a database server that is protected by Kerberos, you need to configure Kerberos delegation. Configuring Kerberos and Kerberos delegation require domain administrator privileges.

  • You can use Kerberos authentication and Kerberos delegation with MATLAB Production Server instances running on Windows Server® operating systems with a Windows® Key Distribution Center (KDC).

  • You can use only Kerberos authentication with MATLAB Production Server instances running on Linux® operating systems. For Linux server instances, you can use a Windows KDC or the Linux-based MIT Kerberos 5 KDC.

To configure Kerberos authentication and Kerberos delegation, consult your IT or system administrator.

Kerberos Authentication and Kerberos Delegation Setup on Windows Systems

Configure Kerberos Authentication

  • Set up a service account for the MATLAB Production Server and register a service principal name for MATLAB Production Server service instance.

  • Enable Kerberos in the MATLAB Production Server configuration file (main_config). For more information, see http-authentication-method.

Configure Kerberos Delegation

  • Set up a service account for the MATLAB Production Server and register a service principal name for MATLAB Production Server service instance.

  • Configure constrained delegation without protocol transition for the service account.

  • Configure the local security privilege for the MATLAB Production Server service account.

  • Enable Kerberos authentication and Kerberos delegation in the MATLAB Production Server configuration file (main_config). For more information, see http-authentication-method and client-credential-delegation.

Only the following MATLAB functions within a deployable archive (CTF file) support using Kerberos delegation:

Note

If you use persistent database connections when using Kerberos delegation on a MATLAB Production Server instance that uses Database Toolbox functions, the credentials of the user that opens the connection are used for every subsequent database request, regardless of the user making the requests.

All other functions within a deployable archive (CTF file) are executed using the credential of the MATLAB Production Server instance.

Supported Environment

OptionRequirement

Operating system

Windows Server

Key distribution center

Windows Server 2003 or later

Client

  • RESTful client over HTTP/HTTPS (HTTP 1.1) with JSON payload

  • The RESTful client must be one that supports SPNEGO/Kerberos—for example, curl with the --negotiate option or .NET HttpClient

Kerberos delegation

Constrained delegation without protocol transition

MATLAB Runtime

MATLAB Runtime R2019b or later

Deployable archive packaging

MATLAB Compiler SDK™ R2019b or later

Database server

Microsoft® SQL Server® 2012 or later

Database driver

Microsoft SQL Server ODBC driver version 11 or later

Kerberos Setup on Linux Systems

  • Set up a service account for the MATLAB Production Server and register a service principal name for MATLAB Production Server service instance.

  • Create a keytab for the MATLAB Production Server service ticket principal. For more information, see the MIT Kerberos documentation for keytab, kvno, and ktutil.

  • Create a credential cache for the MATLAB Production Server service ticket principal. For more information, see the MIT Kerberos documentation for credential cache and kinit.

  • Set the environment variable KRB5_KTNAME to point to the keytab location.

  • Enable Kerberos in the MATLAB Production Server configuration file (main_config). For more information, see http-authentication-method.

Supported Environment

OptionRequirement

Operating system

For supported Linux distributions, see System Requirements for MATLAB.

Key distribution center

  • Windows Server 2003 or later for a KDC

  • MIT Kerberos 5 KDC for a Linux KDC

Client

  • RESTful client over HTTP/HTTPS (HTTP 1.1) with JSON payload

  • The RESTful client must be one that supports SPNEGO/Kerberos—for example, curl with the --negotiate option or .NET HttpClient

See Also

Related Topics

External Websites