Kerberos authentication

The Kerberos login feature allows you to maintain a single user ID and password for database connections, operating system, and network logins. The Kerberos login is more convenient for users and permits a single security system for database and network security. Its advantages include:

• The user does not need to provide a user ID or password to connect to the database.

• Multiple users can be mapped to a single database user ID.

• The name and password used to log in to Kerberos do not have to match the database user ID and password.

Kerberos is a network authentication protocol that provides strong authentication and encryption using secret-key cryptography. Users already logged in to Kerberos can connect to a database without providing a user ID or password.

Kerberos can be used for authentication. To delegate authentication to Kerberos you must:

• configure the server and database to use Kerberos logins.

• create mapping between the user ID that logs in to the computer or network, and the database user.

SAP Sybase IQ does not include the Kerberos software; it must be obtained separately. The following components are included with the Kerberos software:

• Kerberos libraries – These are referred to as the Kerberos Client or GSS (Generic Security Services)-API runtime library. These Kerberos libraries implement the well-defined GSS-API. The libraries are required on each client and server computer that intends to use Kerberos. The built-in Windows SSPI interface can be used instead of a third-party Kerberos client library if you are using Active Directory as your KDC.

  SSPI can only be used by SAP Sybase IQ clients in the Kerberos connection parameter. SAP Sybase IQ database servers cannot use SSPI—they need a supported Kerberos client other than SSPI.

• A Kerberos Key Distribution Center (KDC) server – The KDC functions as a storehouse for users and servers. It also verifies the identification of users and servers. The KDC is typically installed on a server computer not intended for applications or user logins.

SAP Sybase IQ supports Kerberos authentication from DBLib, ODBC, OLE DB, and ADO.NET clients, and Sybase Open Client and jConnect clients. Kerberos authentication can be used with SAP Sybase IQ transport layer security encryption, but SAP Sybase IQ does not support Kerberos encryption for network communications.

Windows uses Kerberos for Windows domains and domain accounts. Active Directory Windows Domain Controllers implement a Kerberos KDC. A third-party Kerberos client or runtime is still required on the database server computer for authentication in this environment, but the Windows client computers can use the built-in Windows SSPI interface instead of a third-party Kerberos client or runtime.

• Kerberos clients
  
• Setting up a Kerberos system to use with SAP Sybase IQ
  You can configure Kerberos authentication to be used with SAP Sybase IQ.
• Configuring SAP Sybase IQ databases to use Kerberos
  You can configure SAP Sybase IQ databases to use Kerberos logins.
• Connections from a Sybase Open Client or a jConnect application
  To connect from a Sybase Open Client or jConnect application:
• Using SSPI for Kerberos logins on Windows
  In a Windows domain, SSPI can be used on Windows-based computers without a Kerberos client installed on the client computer. Windows domain accounts already have associated Kerberos principals.
• Troubleshooting: Kerberos connections
  If you get unexpected errors when attempting to enable or use Kerberos authentication, it is recommended that you enable additional diagnostic messages on the database server and client.
• Security concerns: Temporary public options for added security
  Setting the value of the login_mode option for a given database to allow a combination of Standard, Integrated, Kerberos, and LDAPUA logins using the SET OPTION statement permanently enables the specified types of logins for that database. For example, the following statement permanently enables standard and integrated logins:
• Security concerns: Copied database files
  If the database file can be copied, use the temporary public login_mode option for integrated and Kerberos logins. If the file is copied, the integrated and Kerberos logins are not supported by default.