Attempting to establish an MSSQL direct connection with windows authentication and there are lots of points referencing SQLJDBCdriver.config and krb5.config but all of them seem to assume a level of familiarity with these files and their structure that I do not have. Are there any kind of examples that someone could point me to on either how to write these or examples that have dummy configuration in them?
About Kerberos
The Kerberos protocol defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client’s network credentials.
Information in this section provides theoretical background on the use of the Kerberos protocol in an authentication process. This is background information that can add to a developer’s understanding of what is happening behind the scenes in an SSPI process that uses the Kerberos Version 5 protocol.
The Kerberos authentication protocol provides a mechanism for mutual authentication between entities before a secure network connection is established. Throughout this documentation, the two entities are called the client and the server even though secure network connections can be made between servers. Both client and server can also be referred to as security principals.
The Kerberos protocol assumes that transactions between clients and servers take place on an open network where most clients and many servers are not physically secure, and packets traveling along the network can be monitored and modified at will. The assumed environment is like today’s Internet where an attacker can easily pose as either a client or a server, and can readily eavesdrop on or tamper with communications between legitimate clients and servers.
This section provides the following information:
- Basic Authentication Concepts
- Kerberos Subprotocols
- Kerberos Model
- SSPI/Kerberos Interoperability with GSSAPI
Your application should not access the Kerberos security package directly; instead, it should use the Negotiate security package. Negotiate allows your application to take advantage of more advanced security protocols if they are supported by the systems involved in the authentication. Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication.
Beginning in Microsoft JDBC Driver 4.0 for SQL Server, an application can use the authenticationScheme connection property to indicate that it wants to connect to a database using type 4 Kerberos integrated authentication. For more information on connection properties, see Setting the Connection Properties. For more information on Kerberos, see Microsoft Kerberos.
When using integrated authentication with the Java Krb5LoginModule, you can configure the module using Class Krb5LoginModule.
The Microsoft JDBC Driver for SQL Server sets the following properties for IBM Java VMs:
- useDefaultCcache = true
- moduleBanner = false
The Microsoft JDBC Driver for SQL Server sets the following properties for all other Java VMs:
- useTicketCache = true
- doNotPrompt = true
For more info refer here - https://learn.microsoft.com/en-us/sql/connect/jdbc/using-kerberos-integrated-authentication-to-connect-to-sql-server?view=sql-server-ver16
For Sample Java code to perform the testing refer below githut repo -
Hope this helps.
1 Like
I appreciate the articles and the guides. Whenever I go to upload the .config files I’ve put together for this though I just get a Please contact your Administrator error from the source configuration page.
Here’s the .config files I am attempting to upload. I have changed out the domain names but I feel like I’m missing something syntactically.
SQLJDBCDriver.config
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true;
};
krb5.config
[libdefaults]
noaddresses = true
default_realm = MYDOMAIN.COM
default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
passwd_check_s_address = false
udp_preference_limit = 1
ccache_type = 3
kdc_timesync = 0
[domain_realm]
.MYDOMAIN.COM = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = krbtgt/MYDOMAIN.COM @ MYDOMAIN.COM
default_domain = MYDOMAIN.COM
}
@nathanieljjohnson, Thanks for your update. Please refer my response below -
You can upload the required configuration files, SQLJDBCDriver.config and krb5.config, from the Base Configuration tab. This is the recommended method for providing these files.
Alternatively, you can upload the file with the following process:
- Using FTP, SFTP, or any other transport means upload the file to one of the following locations in the Virtual Appliance:
/opt/sailpoint/ccg//home/sailpoint/ccg/custom/
- Map the connector to the selected file location by adding the following entry into the source XML using IdentityNow REST API, replacing
<config_file_path>with your selected file location:Attribute –configFilePathValue –<config_file_path>For example:Attribute –configFilePathValue –/opt/sailpoint/ccg/
Regarding the syntax of config file - You may refer Microsoft documentation here -
Using Kerberos integrated authentication to connect to SQL Server - JDBC Driver for SQL Server | Microsoft Learn
For more details Refer the connector documentation here.
I opened a support case on this as the files I’m uploading are registering errors even though they appear from everything I can see to be syntactically correct.
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.