Use SSPI for Kerberos logins on Windows

In a Windows domain, SSPI can be used on Windows-based computers without a Kerberos client installed on the client computer. Windows domain accounts already have associated Kerberos principals.

To connect using SSPI
  1. Set up Kerberos authentication. See Set up Kerberos authentication.

  2. Start the SQL Anywhere server with the -krb option to enable Kerberos authentication. For example:

    dbeng11 -krb -n my_server_princ C:\kerberos.db
  3. Change the public or temporary public option login_mode to a value that includes Kerberos. You must have DBA authority to set this option. For example:

    SET OPTION PUBLIC.login_mode = 'Kerberos';
  4. Create a database user ID for the client. You can use an existing database user ID for the Kerberos login, as long as that user has the correct permissions. For example:

    CREATE USER kerberos_user
    IDENTIFIED BY abc123;
  5. Create a mapping from the client's Kerberos principal to an existing database user ID by executing a GRANT KERBEROS LOGIN TO statement. This statement requires DBA authority. For example:

    GRANT KERBEROS LOGIN TO "pchin@MYREALM.COM" 
    AS USER "kerberos-user";
  6. Connect to the database from the client computer. For example:

    dbisql -c "KERBEROS=SSPI;ENG=my_server_princ"

    When Kerberos=SSPI is specified in the connection string, a Kerberos login is attempted.

    A connection attempt using the following Interactive SQL statement will also succeed, providing the user has logged on with a user profile name that matches a Kerberos login mapping in a default database of a server:

    CONNECT USING 'KERBEROS=SSPI';