CIS uses persistent client-library connections to handle the RPC request. CIS handles outbound RPCs by determining whether the client already has a client-library connection to the server in which the RPC is intended. If no connection exists, it will be established.
To enable the CIS RPC handling mechanism, set the configuration option cis rpc handling to 1. When not enabled, the Kerberos user needs to temporarily enable CIS RPC for the current session to use this feature.
The following command enables CIS RPC handling for the current login session.
set cis_rpc_handling on
The following describes how to enable Kerberos authentication for all types of Adaptive Server to CIS connections.
In the following example, user1 is a Kerberos user who logins into Adaptive Server S1 and request RPC to the remote Adaptive Server S2.
Add an entry to the interfaces file or the Directory Service for both servers S1 and S2 and a secmech line for the Kerberos security mechanism.
Add a login for the Kerberos user if one does not exist.
create login user1 with password pwuser1
Enable the use of security mechanisms by setting the configuration option to on.
sp_configure “use security services”, 1
On the local server S1, enable Kerberos Authentication for CIS to remote server S2.
This assumes that remote server S2 only receives CIS
command requests from S1. However, if S2 can also request CIS commands
to other servers and requires enabling Kerberos Authentication,
than similar configuration on S2 will be required.
On the local server S1, add the remote server S2.
sp_addserver S2
Enable Kerberos security mechanism on S1 for outbound RPC requests to S2. The following command enables CIS RPC handling for the current login session.
sp_serveroption S2, "security mechanism", csfkrb5
The security mechanism authentication for RPC request to remote server S2 will be initiated only if the security mechanism is configured for remote server S2 using the above command.
If the security mechanism to S2 is configured and the forwarded ticket of user 'user1' is not available with local server S1, then the RPC connection will not be initiated
If the security mechanism is not configured for RPC to remote server S2, meaning the server option security mechanism is not set, then security session establishment will not be initiated for RPC to remote server S2. In this case, CIS will initiate password based authentication with the remote server S2. CIS uses the names and passwords of the client whenever it connects to remote server if no external login/password mapping is specified. The client user1 logged in to Adaptive Server using Kerberos unified login authentication will not have any password associated with the login session. The system administrator must configure login mapping using sp_addexternlogin for user user1 to be able to connect to S2 for RPC requests. If no external login and password mapping is specified for user1 then the password will be blank and the CIS connection to the remote server will fail.
user1 can request for execution of the stored procedure sp_who on S2 by connecting to server S1 and requesting credential delegation as follows:
isql -Vd -S S1 S2...sp_who
user1 can make a passthrough connection to remote server S2 by using the following command:
connect to S2
user1 can execute queries on remote server by using the following command:
sp_remotesql S2, "select @@authmech" go sp_remotesql S2, “sp_who” go
