Set up Kerberos authentication on the SQL Anywhere database. See Set up Kerberos authentication.
Start the SQL Anywhere server with the -krb or -kr option to enable Kerberos authentication, or use the -kl option to specify the location of the GSS-API library and enable Kerberos.
Change the public or temporary public option login_mode to a value that includes Kerberos. You must have DBA authority to change the setting of this option. The login_mode database option determines whether Kerberos logins are allowed. As database options apply only to the database in which they are found, different databases can have a different Kerberos login setting, even if they are loaded and running on the same server. For example:
SET OPTION PUBLIC.login_mode = 'Kerberos,Standard'; |
The login_mode database option accepts one or more of the following values:
Standard Standard logins are permitted. This value is the default. Standard connection logins must supply both a user ID and password, and do not use the Integrated or Kerberos connection parameters.
Integrated Integrated logins are permitted.
Kerberos Kerberos logins are permitted.
Setting the login_mode database option to Kerberos restricts connections to only those users who have been granted a Kerberos login mapping. Attempting to connect using a user ID and password generates an error unless you are a user with DBA authority.
Create a database user ID for the client. You can use an existing database user ID for the Kerberos login, as long as that user has the correct permissions. For example:
CREATE USER "kerberos-user" IDENTIFIED BY abc123; |
Execute a GRANT KERBEROS LOGIN TO statement to create a mapping from the client's Kerberos principal to an existing database user ID. This statement requires DBA authority. For example:
GRANT KERBEROS LOGIN TO "pchin@MYREALM.COM" AS USER "kerberos-user"; |
If you want to connect when a Kerberos principal is used that does not have a mapping, ensure the Guest database user ID exists and has a password. See Creating a default integrated login user.
Ensure the client user has already logged on (has a valid Kerberos ticket-granting ticket) using their Kerberos principal and that the client's Kerberos ticket has not expired. A Windows user logged in to a domain account already has a ticket-granting ticket, which allows them to authenticate to servers, providing their principal has enough permissions.
A ticket-granting ticket is a Kerberos ticket encrypted with the user's password that is used by the Ticket Granting Service to verify the user's identity.
Connect from the client, specifying the KERBEROS connection parameter (Often KERBEROS=YES, but KERBEROS=SSPI or KERBEROS=GSS-API-library-file can also be used). If the user ID or password connection parameters are specified, they are ignored. For example:
dbisql -c "KERBEROS=YES;ENG=my_server_princ" |
For example, a connection attempt using the following Interactive SQL statement is successful if the user logs in with a user profile name that matches a Kerberos login mapping in a default database of a server:
CONNECT USING 'KERBEROS=YES'; |
The Interactive SQL statement CONNECT can connect to a database if all the following are true:
A server is currently running.
The default database on the current server is enabled to accept Kerberos authenticated connections.
A Kerberos login mapping has been created for the user's current Kerberos principal.
If the user is prompted with a window by the server for more connection information (such as occurs when using Interactive SQL), the user clicks OK without providing more information.
| Discuss this page in DocCommentXchange. Send feedback about this page using email. |
Copyright © 2009, iAnywhere Solutions, Inc. - SQL Anywhere 11.0.1 |