The Kerberos login feature allows you to maintain a single user ID and password for both database connections and operating system and/or network logins. This section describes the Kerberos login feature.
Kerberos is a network authentication protocol that provides strong authentication and encryption using secret-key cryptography. SQL Anywhere can use Kerberos for authentication in a manner similar to Windows integrated logins. Users who have already logged in to Kerberos can connect to a database without providing a user ID or password.
To use Kerberos as an authentication system, you must configure SQL Anywhere to delegate authentication to Kerberos. The database must be configured to use Kerberos logins, and a mapping must have been granted between the user used to log in to the computer and/or network, and a database user.
If you already have Kerberos set up, then you can take advantage of this authentication mechanism to authenticate users connecting to databases.
Using a Kerberos login is more convenient for the user and permits a single security system for database and network security. Its advantages include:
The user does not need to provide a user ID or password to connect to the database.
Multiple users can be mapped to a single database user ID.
The name and password used to log in to Kerberos do not have to match the database user ID and password.
Kerberos logins offer the convenience of a single security system, but there are important security implications that database administrators should be familiar with. See Security concerns: Copied database files.
SQL Anywhere does not come equipped with Kerberos software. You must obtain Kerberos software separately. Kerberos software includes the following components:
Kerberos libraries These are referred to as the Kerberos Client or GSS (Generic Security Services)-API runtime library. These Kerberos libraries implement the well-defined GSS-API. The libraries are required on each client and server computer that intends to use Kerberos. The built-in Windows SSPI interface can be used instead of a third-party Kerberos client library if you are using Active Directory as your KDC.
A Kerberos Key Distribution Center (KDC) server The KDC functions as a storehouse for users and servers. It also verifies the identification of users and servers. The KDC is typically installed on a server computer not intended for applications or user logins.
SQL Anywhere supports Kerberos authentication from DBLib, ODBC, OLE DB, and ADO.NET clients, as well as Sybase Open Client and jConnect clients. Kerberos authentication can be used with SQL Anywhere transport layer security encryption, but SQL Anywhere does not support Kerberos encryption for network communications.
Windows use Kerberos for Windows domains and domain accounts. Active Directory Windows Domain Controllers implement a Kerberos KDC. A third-party Kerberos client or runtime is still required on the database server computer for authentication in this environment, but the Windows client computers can use the built-in Windows SSPI interface instead of a third-party Kerberos client or runtime. See Using SSPI for Kerberos logins on Windows.
Setting up Kerberos authentication
Creating Kerberos login mappings
Revoking Kerberos login permission
Using SSPI for Kerberos logins on Windows
Troubleshooting Kerberos connections
Security concerns: Setting temporary public options for added security
Security concerns: Copied database files