Using MIT Kerberos Security Services on Windows 64-bit

MIT Kerberos security services are supported on Windows 64-bit.

In order to use the MIT Kerberos Security services on Windows 64bit, changes are required in libtcl64.cfg, libtcl.cfg, and sql.ini files.

  1. Update the [SECURITY] section of the %SYBASE%\%SYBASE_OCS%\ini\libtcl64.cfg file.
    1. Add the following to the [SECURITY] section:
      csfkrb5=LIBSYBSKRB64 secbase=@REALM 
libgss=MIT_KRB_64_INSTALL_DIR \bin\gssapi64.dll
      Note: For the above example:

      REALM should be replaced with the Kerberos realm name.

      MIT_KRB_64_INSTALL_DIR should be replaced with the directory where MIT Kerberos version 4.0.1 for Windows 64-bit is installed.

      The path to the gssapi library, used in the libtcl64.cfg file, cannot contain whitespaces.

    This change allows 64-bit ASE and 64-bit Open Client applications to use the security driver library libsybsmssp64.dll at runtime. The libsybsmssp64.dll library is located in %SYBASE%\%SYBASE_OCS%\dll, along with other Open Client dynamic link libraries.
  2. Update the [SECURITY] section in the %SYBASE%\%SYBASE_OCS%\ini\libtcl.cfg file.
    1. Add the following to the [SECURITY] section:
       csfkrb5=LIBSYBSKRB secbase=@REALM 
libgss=MIT_KRB_32_INSTALL_DIR   \bin\gssapi32.dll
      Note: For the above example:

      REALM should be replaced with the Kerberos realm name.

      MIT_KRB_32_INSTALL_DIR should be replaced with the directory where MIT Kerberos version 4.0.1 for Windows 32-bit is installed.

      The path to the gssapi library, used in the libtcl64.cfg file, cannot contain whitespaces.

    The libtcl.cfg is used by the 32bit isql utility and 32-bit OpenClient applications.
  3. Choose one of the following methods to specify the OID value for MIT Kerberos.
    • Update the [SECMECH] section of the %SYBASE%\ini\sql.ini file. Add the following to the sql.ini file:
      [ASENAME]
master=TCP,<host>,<port>
query=TCP,<host>,<port>
secmech=1.3.6.1.4.1.897.4.6.6
    • Use the dsedit utility to add the 'Server Security' attribute value of '1.3.6.1.4.1.897.4.6.6' to your server.
      Note: This OID value derived from the %SYBASE%\ini\objectid.dat file which should not be modified
      .
  4. Make sure Adaptive Server is configured for security services. For example, to enable services with LAN Manager, execute: 
    sp_configure "use security services", 1
    For more information, see Using Security Services with NT LAN Manager in the Configuration Guide for Windows NT.
  5. Connect to the Adaptive Server without a user name and password. For example:
    • isql -V -SASENAME
    • isql64 -V -SASENAME
Parent topic: MIT Kerberos and NTLM Security Services