Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 10.0.1 » SQL Anywhere Server - Database Administration » Connecting to a Database

Security concerns: Unrestricted database access Next Page

Using Kerberos authentication

The Kerberos login feature allows you to maintain a single user ID and password for both database connections and operating system and/or network logins. This section describes the Kerberos login feature.

Benefits of Kerberos logins

Kerberos is a network authentication protocol that provides strong authentication and encryption using secret-key cryptography. SQL Anywhere can use Kerberos for authentication in a manner similar to Windows integrated logins. Users who have already logged in to Kerberos can connect to a database without providing a user ID or password.

To use Kerberos as an authentication system, you must configure SQL Anywhere to delegate authentication to Kerberos. The database must be configured to use Kerberos logins, and a mapping must have been granted between the user used to log in to the computer and/or network, and a database user.

If you already have Kerberos set up, then you can take advantage of this authentication mechanism to authenticate users connecting to databases.

Using a Kerberos login is more convenient for the user and permits a single security system for database and network security. Its advantages include:


Kerberos logins offer the convenience of a single security system, but there are important security implications that database administrators should be familiar with. See Security concerns: Copied database files.

SQL Anywhere does not come equipped with Kerberos software. You must obtain Kerberos software separately. Kerberos software includes the following components:

SQL Anywhere supports Kerberos authentication from DBLib, ODBC, OLE DB, and ADO.NET clients, as well as Sybase Open Client and jConnect clients. Kerberos authentication can be used with SQL Anywhere transport layer security encryption, but SQL Anywhere does not support Kerberos encryption for network communications.

Windows use Kerberos for Windows domains and domain accounts. Active Directory Windows Domain Controllers implement a Kerberos KDC. A third-party Kerberos client or runtime is still required on the database server computer for authentication in this environment, but the Windows client computers can use the built-in Windows SSPI interface instead of a third-party Kerberos client or runtime. See Using SSPI for Kerberos logins on Windows.

Kerberos clients
Setting up Kerberos authentication
Creating Kerberos login mappings
Revoking Kerberos login permission
Using SSPI for Kerberos logins on Windows
Troubleshooting Kerberos connections
Security concerns: Setting temporary public options for added security
Security concerns: Copied database files