On Windows client computers using a Windows domain, SSPI can be used and no Kerberos client needs to be installed on the client computer. Windows domain accounts already have Kerberos principals associated with them. For example, account pchin in the myrealm.com Windows domain is typically already associated with the pchin@MYREALM.COM Kerberos principal. Clients authenticating this way must set the Kerberos (KRB) connection parameter to SSPI.
When Kerberos=SSPI is specified in the connection string, a Kerberos login is attempted.
The following procedure assumes you have already set up Kerberos authentication. See Setting up Kerberos authentication.
To connect using SSPI
Start the SQL Anywhere server with the -krb option to enable Kerberos authentication.
dbeng11 -krb -n my_server_princ C:\kerberos.db |
Change the public or temporary public option login_mode to a value that includes Kerberos. You must have DBA authority to set this option.
SET OPTION PUBLIC.login_mode = 'Kerberos'; |
Create a database user ID for the client. You can use an existing database user ID for the Kerberos login, as long as that user has the correct permissions.
CREATE USER kerberos_user IDENTIFIED BY abc123; |
Create a mapping from the client's Kerberos principal to an existing database user ID by executing a GRANT KERBEROS LOGIN TO statement. This statement requires DBA authority.
GRANT KERBEROS LOGIN TO "pchin@MYREALM.COM" AS USER "kerberos-user"; |
Connect to the database from the client computer.
dbisql -c "KERBEROS=SSPI;ENG=my_server_princ" |
A connection attempt using the following Interactive SQL statement will also succeed, providing the user has logged on with a user profile name that matches a Kerberos login mapping in a default database of a server:
CONNECT USING 'KERBEROS=SSPI'; |
Send feedback about this page via email or DocCommentXchange | Copyright © 2008, iAnywhere Solutions, Inc. - SQL Anywhere 11.0.0 |