See “Client-Library and security services” for an overview of how client applications use security services.
The following considerations apply specifically to client applications that use DCE security services:
Client applications must specify the server principal name if it is not the same as the server’s network name.
When using DCE security, DCE always authenticates the server’s principal name. The connection cannot be opened if the correct server principal name is not supplied. By default, Client-Library assumes the principal name matches the network name.
Client-Library applications specify the server principal name by setting the CS_SEC_SERVERPRINCIPAL connection property. Users of isql and other Sybase client utilities can specify the server principal name with the -R command-line option.
Client applications must connect to the server using the default, preexisting DCE credential or by using a DCE keytab file to acquire a new credential.
DCE users acquire their default DCE credentials with the dce_login tool. Client-Library applications use the default credential by not setting the CS_USERNAME connection property. Users of Sybase client utilities, such as isql, omit the -U command-line option to connect using their default credential.
To acquire a new credential, you must have read access to a valid DCE keytab file that contains the encrypted password for the DCE user you want to connect as. You can create a keytab file with the DCE dcecp utility, using the keytab create command.
Client-Library applications can acquire a new credential by setting the CS_USERNAME property to a DCE user name and setting the CS_SEC_KEYTAB property to the name of the corresponding DCE keytab file.
Users of isql and other Sybase client utilities can use the -U and -K command-line options to specify the user name and the keytab file name, respectively.
Do not specify a user name unless you also supply the
name of a DCE keytab file to authenticate that user.
