Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 12.0.1 » SQL Anywhere Server - Database Administration » Starting and connecting to your database » SQL Anywhere database connections » Kerberos authentication


Setting up Kerberos authentication

 Set up Kerberos authentication on a SQL Anywhere database
  1. Install and configure the Kerberos client software, including the GSS-API runtime library, on both the client and server.

    On Windows client computers using an Active Directory KDC, SSPI can be used and you do not need to install the Kerberos client. See SSPI for Kerberos logins on Windows.

  2. If necessary, create a Kerberos principal in the Kerberos Key Distribution Center (KDC) for each user.

    A Kerberos principal is a Kerberos user ID in the format user/instance@REALM, where /instance is optional. If you are already using Kerberos, the principal should already exist, so you will not need to create a Kerberos principal for each user.

    Principals are case sensitive and must be specified in the correct case. Mappings for multiple principals that differ only in case are not supported (for example, you cannot have mappings for both jjordan@MYREALM.COM and JJordan@MYREALM.COM).

  3. Create a Kerberos principal in the KDC for the SQL Anywhere database server.

    The Kerberos principal for the database server has the format server-name@REALM, where server-name is the SQL Anywhere database server name. Principals are case significant, and the server-name cannot contain multibyte characters, or the characters /, \, or @. The rest of the steps assume the Kerberos principal is my_server_princ@MYREALM.COM.

    You must create a server service principal within the KDC because servers use a keytab file for KDC authentication. The keytab file is protected and encrypted.

  4. Securely extract and copy the keytab for the principal server-name@REALM from the KDC to the computer running the SQL Anywhere database server. The default location of the keytab file depends on the Kerberos client and the platform. The keytab file's permissions should be set so that the SQL Anywhere server can read it, but unauthorized users do not have read permission.

  5. Configure SQL Anywhere to use Kerberos.