Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SAP Sybase SQL Anywhere 16.0 » SQL Anywhere Server - Database Administration » SQL Anywhere database connections » Database connections » Kerberos authentication

 

Configuring SQL Anywhere databases to use Kerberos

You can configure SQL Anywhere databases to use Kerberos logins.

Prerequisites

You must have the SET ANY PUBLIC OPTION and MANAGE ANY USER system privileges.

You must already have Kerberos configured before SQL Anywhere can use it.

Context and remarks

The Kerberos login feature allows you to maintain a single user ID and password for database connections, operating systems, and network logins.

 Task
  1. Start the SQL Anywhere database server with the -krb or -kr option to enable Kerberos authentication, or use the -kl option to specify the location of the GSS-API library and enable Kerberos.

  2. Change the public or temporary public option login_mode to a value that includes Kerberos. As database options apply only to the database in which they are found, different databases can have a different Kerberos login setting, even if they are loaded and running on the same database server. For example:

    SET OPTION PUBLIC.login_mode = 'Kerberos,Standard';
    Caution

    Setting the login_mode database option to Kerberos restricts connections to only those users who have been granted a Kerberos login mapping. Attempting to connect using a user ID and password generates an error unless you are a user with SYS_AUTH_DBA_ROLE system role.

  3. Create a database user ID for the client user. You can use an existing database user ID for the Kerberos login, as long as that user has the correct privileges. For example:

    CREATE USER "kerberos-user"
    IDENTIFIED BY abc123;
  4. Execute a GRANT KERBEROS LOGIN TO statement to create a mapping from the client's Kerberos principal to an existing database user ID. For example:

    GRANT KERBEROS LOGIN TO "pchin@MYREALM.COM" 
    AS USER "kerberos-user";

    To connect when a Kerberos principal is used that does not have a mapping, ensure the Guest database user ID exists and has a password.

  5. Ensure the client user has already logged on (has a valid Kerberos ticket-granting ticket) using their Kerberos principal and that the client's Kerberos ticket has not expired. A Windows user logged in to a domain account already has a ticket-granting ticket, which allows them to authenticate to servers, providing their principal has enough permissions.

    A ticket-granting ticket is a Kerberos ticket encrypted with the user's password that is used by the Ticket Granting Service to verify the user's identity.

  6. Connect from the client, specifying the KERBEROS connection parameter (Often KERBEROS=YES, but KERBEROS=SSPI or KERBEROS=GSS-API-library-file can also be used). If the user ID or password connection parameters are specified, they are ignored. For example:

    dbisql -c "KERBEROS=YES;Server=my_server_princ"

Results

The SQL Anywhere database is configured to use Kerberos authentication.

Next

You can use Kerberos authentication to connect from a client. Optionally, you can create a Kerberos login mapping.

Example

A connection attempt using the following SQL statement is successful if the user logs in with a user profile name that matches a Kerberos login mapping for the default database on a database server:

CONNECT USING 'KERBEROS=YES';

The CONNECT statement can connect to a database if all the following conditions are true:

  • A database server is currently running.

  • The default database on the current database server is enabled to accept Kerberos authenticated connections.

  • A Kerberos login mapping has been created for the user's current Kerberos principal.

  • If the user is prompted with a window by the database server for more connection information (such as occurs when using Interactive SQL), the user clicks OK without providing more information.


 See also