Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SAP Sybase SQL Anywhere 16.0 » SQL Anywhere Server - Database Administration » SQL Anywhere database connections » Database connections » Kerberos authentication


Setting up a Kerberos system to use with SQL Anywhere

You can configure Kerberos authentication to be used with SQL Anywhere.


You must be logged in to your computer using Kerberos authentication.

Context and remarks

Kerberos is a network authentication protocol that provides strong authentication and encryption using secret-key cryptography.

  1. If necessary, install and configure the Kerberos client software, including the GSS-API runtime library, on both the client and server.

    On Windows client computers using an Active Directory Key Distribution Center (KDC), SSPI can be used and you do not need to install the Kerberos client.

  2. If necessary, create a Kerberos principal in the Kerberos KDC for each user.

    A Kerberos principal is a Kerberos user ID in the format user/instance@REALM, where /instance is optional. If you are already using Kerberos, the principal should already exist, so you do not need to create a Kerberos principal for each user.

    Principals are case sensitive and must be specified in the correct case. Mappings for multiple principals that differ only in case are not supported (for example, you cannot have mappings for both jjordan@MYREALM.COM and JJordan@MYREALM.COM).

  3. Create a Kerberos principal in the KDC for the SQL Anywhere database server.

    The default Kerberos principal for the database server has the format server-name@REALM, where server-name is the SQL Anywhere database server name. To use a different server principal, use the -kp server option. Principals are case significant, and server-name cannot contain multibyte characters, or the characters /, \, or @.

    You must create a server service principal within the KDC because servers use a keytab file for KDC authentication. The keytab file is protected and encrypted.

  4. Securely extract and copy the keytab for the principal server-name@REALM from the KDC to the computer running the SQL Anywhere database server. The default location of the keytab file depends on the Kerberos client and the platform. The keytab file's permissions should be set so that the SQL Anywhere server can read it, but unauthorized users do not have read permission.


The Kerberos system is authenticated and configured to be used with SQL Anywhere.


Configure your SQL Anywhere database server and database to use Kerberos.

 See also