Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 17 » SQL Anywhere Server - Database Administration » Database connections » Authentication mechanisms

Kerberos user authentication

The Kerberos login feature allows you to maintain a single user ID and password for database connections, operating system, and network logins.

The Kerberos login is more convenient for users and permits a single security system for database and network security. Its advantages include:

  • The user does not need to provide a user ID or password to connect to the database.

  • Multiple users can be mapped to a single database user ID.

  • The name and password used to log in to Kerberos do not have to match the database user ID and password.

Kerberos is a network authentication protocol that provides strong authentication and encryption using secret-key cryptography. Users already logged in to Kerberos can connect to a database without providing a user ID or password.

Kerberos can be used for authentication. To delegate authentication to Kerberos you must:

  • configure the server and database to use Kerberos logins.

  • create mapping between the user ID that logs in to the computer or network, and the database user.


When using Kerberos logins as a single security solution, be sure to inform yourself on the security concern related to copied databases.

SQL Anywhere does not include the Kerberos software; it must be obtained separately. The following components are included with the Kerberos software:

  • Kerberos libraries

    These are referred to as the Kerberos Client or GSS (Generic Security Services)-API runtime library. These Kerberos libraries implement the well-defined GSS-API. The libraries are required on each client and server computer that intends to use Kerberos. The built-in Windows SSPI interface can be used instead of a third-party Kerberos client library if you are using Active Directory as your KDC.

    SSPI can only be used by clients in the Kerberos connection parameter. The database server cannot use SSPI. It needs a supported Kerberos client other than SSPI.

  • A Kerberos Key Distribution Center (KDC) server

    The KDC functions as a storehouse for users and servers. It also verifies the identification of users and servers. The KDC is typically installed on a server computer not intended for applications or user logins.

Kerberos authentication from DBLib, ODBC, OLE DB, and ADO.NET clients, and SAP Open Client and jConnect clients is supported. Kerberos authentication can be used with SQL Anywhere transport layer security encryption, but Kerberos encryption for network communications is not supported.

Windows uses Kerberos for Windows domains and domain accounts. Active Directory Windows Domain Controllers implement a Kerberos KDC. A third-party Kerberos client or runtime is still required on the database server computer for authentication in this environment, but the Windows client computers can use the built-in Windows SSPI interface instead of a third-party Kerberos client or runtime.