Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 11.0.1 (Français) » SQL Anywhere Server - Database Administration » Starting and Connecting to Your Database » SQL Anywhere database connections » Kerberos authentication

 

Use SSPI for Kerberos logins on Windows

In a Windows domain, SSPI can be used on Windows-based computers without a Kerberos client installed on the client computer. Windows domain accounts already have associated Kerberos principals.

♦  To connect using SSPI
  1. Set up Kerberos authentication. See Set up Kerberos authentication.

  2. Start the SQL Anywhere server with the -krb option to enable Kerberos authentication. For example:

    dbeng11 -krb -n my_server_princ C:\kerberos.db
  3. Change the public or temporary public option login_mode to a value that includes Kerberos. You must have DBA authority to set this option. For example:

    SET OPTION PUBLIC.login_mode = 'Kerberos';
  4. Create a database user ID for the client. You can use an existing database user ID for the Kerberos login, as long as that user has the correct permissions. For example:

    CREATE USER kerberos_user
    IDENTIFIED BY abc123;
  5. Create a mapping from the client's Kerberos principal to an existing database user ID by executing a GRANT KERBEROS LOGIN TO statement. This statement requires DBA authority. For example:

    GRANT KERBEROS LOGIN TO "pchin@MYREALM.COM" 
    AS USER "kerberos-user";
  6. Connect to the database from the client computer. For example:

    dbisql -c "KERBEROS=SSPI;ENG=my_server_princ"

    When Kerberos=SSPI is specified in the connection string, a Kerberos login is attempted.

    A connection attempt using the following Interactive SQL statement will also succeed, providing the user has logged on with a user profile name that matches a Kerberos login mapping in a default database of a server:

    CONNECT USING 'KERBEROS=SSPI';