Use Kerberos Authentication and Kerberos Delegation
To authenticate user access to a MATLAB® Production Server™ instance, you need to configure Kerberos. To delegate a client’s credential to a next hop web server or a database server that is protected by Kerberos, you need to configure Kerberos delegation. Configuring Kerberos and Kerberos delegation require domain administrator privileges.
You can use Kerberos authentication and Kerberos delegation with MATLAB Production Server instances running on Windows Server® operating systems with a Windows® Key Distribution Center (KDC).
You can use only Kerberos authentication with MATLAB Production Server instances running on Linux® operating systems. For Linux server instances, you can use a Windows KDC or the Linux-based MIT Kerberos 5 KDC.
To configure Kerberos authentication and Kerberos delegation, consult your IT or system administrator.
Kerberos Authentication and Kerberos Delegation Setup on Windows Systems
Configure Kerberos Authentication
Set up a service account for the MATLAB Production Server and register a service principal name for MATLAB Production Server service instance.
Enable Kerberos in the MATLAB Production Server configuration file (
main_config). For more information, see http-authentication-method.
Configure Kerberos Delegation
Set up a service account for the MATLAB Production Server and register a service principal name for MATLAB Production Server service instance.
Configure constrained delegation without protocol transition for the service account.
Configure the local security privilege for the MATLAB Production Server service account.
Enable Kerberos authentication and Kerberos delegation in the MATLAB Production Server configuration file (
main_config). For more information, see http-authentication-method and client-credential-delegation.
Only the following MATLAB functions within a deployable archive (CTF file) support using Kerberos delegation:
webreadwebwriteCall Web Services from MATLAB Using HTTP (MATLAB) functions
Database Toolbox™ functions (requires an ODBC driver)
Note
If you use persistent database connections when using Kerberos delegation on a MATLAB Production Server instance that uses Database Toolbox functions, the credentials of the user that opens the connection are used for every subsequent database request, regardless of the user making the requests.
All other functions within a deployable archive (CTF file) are executed using the credential of the MATLAB Production Server instance.
Supported Environment
| Option | Requirement |
|---|---|
Operating system | Windows Server |
Key distribution center | Windows Server 2003 or later |
Client |
|
Kerberos delegation | Constrained delegation without protocol transition |
MATLAB Runtime | MATLAB Runtime R2019b or later |
Deployable archive packaging | MATLAB Compiler SDK™ R2019b or later |
Database server | Microsoft® SQL Server® 2012 or later |
Database driver | Microsoft SQL Server ODBC driver version 11 or later |
Kerberos Setup on Linux Systems
Set up a service account for the MATLAB Production Server and register a service principal name for MATLAB Production Server service instance.
Create a keytab for the MATLAB Production Server service ticket principal. For more information, see the MIT Kerberos documentation for keytab, kvno, and ktutil.
Create a credential cache for the MATLAB Production Server service ticket principal. For more information, see the MIT Kerberos documentation for credential cache and kinit.
Set the environment variable
KRB5_KTNAMEto point to the keytab location.Enable Kerberos in the MATLAB Production Server configuration file (
main_config). For more information, see http-authentication-method.
Supported Environment
| Option | Requirement |
|---|---|
Operating system | For supported Linux distributions, see System Requirements for MATLAB. |
Key distribution center |
|
Client |
|
See Also
Server Configuration Properties
Related Topics
External Websites
You can also select a web site from the following list:
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)