The authentication credentials used to establish the session context are supplied to the .NET Data Provider for Teradata via the AuthenticationString property. The mechanisms that require credentials are Kerberos (SPNEGO) and LDAP. It is the responsibility of the application to ensure that the value supplied for the AuthenticationString conforms to the requirements of the authentication mechanism in use.
TDNEGO Authentication String Syntax Rules
TDNEGO is a negotiating mechanism that will attempt to negotiate into one of the other supported mechanisms. It accepts all the authentication string formats which are supported by the other mechanisms.
JWT Authentication String Syntax Rules
The format of the authentication string for JWT authentication is as follows:
token=JWT
where JWT is the JSON Web Token to be used for authentication.
Kerberos Authentication String Syntax Rules
The format of the credential string for Kerberos authentication is composed of the following elements: "name", "realm", and "password", as follows:
name@realm@@password
The format of the components must conform to the following rules:
- One or more principal name components; if more than one principal name component is included, the components are separated by '/'. The following constraints and special considerations apply:
- Any occurrence of the characters '@' or '/' must be immediately preceded by the '\' (backslash).
- The ASCII newline, tab, backspace, and null characters may occur directly or may be represented, respectively by '\n', '\t', '\b', or '\0'.
- If the '\' quoting character occurs outside the contexts described above, the following character is interpreted literally. As a special case, this allows the doubled representation '\\' to represent a single occurrence of the quoting character.
-
An occurrence of the '\' quoting character as the last character in a name component is illegal.
- Optionally, a '@' character, signifying that a realm name immediately follows.
- If no realm name element is included, the local realm name is assumed.
- The '/', ":", and null characters many not occur within a realm name
-
The '@', newline, tab, and backspace characters may be included using the quoting conventions described in (1a), (1b) and (1c) above.
- Since the '@' character is not legal in a realm name, the double occurrence of it is used an an introducer of the password.
- All characters after the "@@" are considered as password characters.
- The '@', newline, tab, and backspace characters may be included using the quoting conventions described in (1a), (1b) and (1c) above.
LDAP Authentication String Syntax Rules
The format for LDAP credentials is as follows:
| Teradata Database | LDAP Authentication String Format |
| Version 6.0 | authcid=authcid password=password [profile=profile] [user=tduser] |
| Version 6.1 and above | authcid@@password [profile=profile] [user=tduser] authcid password=password [profile=profile] [user=tduser] |
Rules for the authcid= element:
- The format of authcid is defined by the directory server used by the Teradata database.
- If the value contains a comma, single or double quote character, the string must be enclosed in single or double quotes.
Rules for the password= element:
- If the value contains '\' character, the character should be preceded with a '\'.
Rules for the authcid=, password=, profile= and user= elements:
- If the value contains a space, the value must be enclosed in double quotes.
- If the value contains a double quote, escape with another double quote (e.g. "") to represent a single double quote in the value.
Following rules apply to these LDAP authentication credential formats:
authcid password=password
authcid@@password
- The first element in the credentials must conform to the following rules:
- Any occurrence of the characters '@' or '/' must be immediately preceded by the '\' (backslash).
- The ASCII newline, tab, backspace, and null characters may occur directly or may be represented, respectively by '\n', '\t', '\b', or '\0'.
- If the '\' quoting character occurs outside the contexts described above, the following character is interpreted literally. As a special case, this allows the doubled representation '\\' to represent a single occurrence of the quoting character.
Authentication Credentials Generated by the .NET Data Provider for Teradata
An application may provide authentication credentials directly using the AuthenticationString property. However, if the application specifies a UserId and Password, and the selected mechanism supports the generation of credentials, the .NET Data Provider for Teradata constructs the authentication credentials for the application. The mechanisms that currently support the generation of authentication credentials are Kerberos, LDAP, and TDNEGO.
 Note |
|---|
| If the application has selected IntegratedSecurity, then the .NET Data Provider for Teradata ignores all values in UserId, Password, and AuthenticationString. |
The .NET Data Provider for Teradata composes the authentication credentials using the values supplied in UserId, Password and AuthenticationString.
The credentials are constructed as follows:
- The value in UserId. If the value contains a double quote, it will be escaped with another double quote to represent a double quote in the value.
- The literal string "@@"
- The value in Password. If the value contains a double quote, it will be escaped with another double quote to represent a double quote in the value. Any occurrence of the characters '@', '/', '\' will be escaped with a '\'. If any ASCII newline, tab, backspace, carriage return characters occur directly, it will be represented, respectively by '\n', '\t', '\b', or '\r'.
- The UserId@@Password will be enclosed in double-quotes. (e.g. "UserId@@Password")
- The value in AuthenticationString
It is the responsibility of the application to ensure that the values supplied in the UserId, Password, and AuthenticationString properties will result in properly constructed credentials for the desired authentication mechanism.
The table below shows how the UserId, Password and AuthenticationString values should be specified based on the selected authentication mechanism:
| Authentication Mechanism | UserId contains: | Password contains: | AuthenticationString should contain: | Notes |
|---|---|---|---|---|
| SPNEGO | name | password | empty | The default realm is assumed. |
| SPNEGO | name@realm | password | empty | The application should separate the components with a '@'. Any special characters in the name or realm must conform to the syntax rules described above. |
| LDAP | authcid | password | empty or profile=profile user=tduser |
The profile= and user= components are optional. |
| LDAP | authcid | empty | password=password profile=profile user=tduser |
The profile= and user= components are optional. |
| JWT | empty | empty | token=JWT |
The following examples show how the .NET Data Provider for Teradata constructs the authentication credentials:
| UserId | Password | AuthenticationString | Credentials Generated by the .NET Data Provider for Teradata |
|---|---|---|---|
| TestUser | pass1 | empty | "TestUser@@pass1" |
| TestUser@CORP | pass2 | empty | "TestUser@CORP@@pass2" |
| Test\@User@CORP | pass3 | empty | "Test\@User@CORP@@pass3" |
| LdapUser | ldappass1 | empty | "LdapUser@@ldappass1" |
| LdapUser | ldappass2 | profile=manager | "LdapUser@@ldappass2" profile=manager |
| LdapUser | ldap"p/\as@s'3 | user=tduser | "LdapUser@@ldap""p\/\\as\@s'3" user=tduser |