On Windows client computers using a Windows domain, SSPI can be used and no Kerberos client needs to be installed on the client computer. Windows domain accounts already have Kerberos principals associated with them. For example, account pchin in the myrealm.com Windows domain is typically already associated with the pchin@MYREALM.COM Kerberos principal. Clients authenticating this way must set the Kerberos (KRB) connection parameter to SSPI.
When Kerberos=SSPI is specified in the connection string, a Kerberos login is attempted.
The following procedure assumes you have already set up Kerberos authentication. See Setting up Kerberos authentication.
Start the SQL Anywhere server with the -krb option to enable Kerberos authentication.
dbeng10 -krb -n my_server_princ C:\kerberos.db
Change the public or temporary public option login_mode to a value that includes Kerberos. You must have DBA authority to change the setting of this option.
SET OPTION PUBLIC.login_mode = 'Kerberos'
Create a database user ID for the client. You can use an existing database user ID for the Kerberos login, as long as that user has the correct permissions.
GRANT CONNECT TO "kerberos-user" IDENTIFIED BY "abc123"
Create a mapping from the client's Kerberos principal to an existing database user ID by executing a GRANT KERBEROS LOGIN TO statement (this statement requires DBA authority).
GRANT KERBEROS LOGIN TO "pchin@MYREALM.COM" AS USER "kerberos-user"
Connect to the database from the client computer.
dbisql -c "KERBEROS=SSPI;ENG=my_server_princ"
A connection attempt using the following Interactive SQL statement will also succeed, providing the user has logged on with a user profile name that matches a Kerberos login mapping in a default database of a server:
CONNECT USING 'KERBEROS=SSPI'