Configure SQL Anywhere to use Kerberos

 To configure a SQL Anywhere database to use Kerberos
  1. Set up Kerberos authentication on the SQL Anywhere database. See Set up Kerberos authentication.

  2. Start the SQL Anywhere server with the -krb or -kr option to enable Kerberos authentication, or use the -kl option to specify the location of the GSS-API library and enable Kerberos.

  3. Change the public or temporary public option login_mode to a value that includes Kerberos. You must have DBA authority to change the setting of this option. The login_mode database option determines whether Kerberos logins are allowed. As database options apply only to the database in which they are found, different databases can have a different Kerberos login setting, even if they are loaded and running on the same server. For example:

    SET OPTION PUBLIC.login_mode = 'Kerberos,Standard';

    The login_mode database option accepts one or more of the following values:

    • Standard   Standard logins are permitted. This value is the default. Standard connection logins must supply both a user ID and password, and do not use the Integrated or Kerberos connection parameters.

    • Integrated   Integrated logins are permitted.

    • Kerberos   Kerberos logins are permitted.

    Caution

    Setting the login_mode database option to Kerberos restricts connections to only those users who have been granted a Kerberos login mapping. Attempting to connect using a user ID and password generates an error unless you are a user with DBA authority.

  4. Create a database user ID for the client. You can use an existing database user ID for the Kerberos login, as long as that user has the correct permissions. For example:

    CREATE USER "kerberos-user"
    IDENTIFIED BY abc123;
  5. Execute a GRANT KERBEROS LOGIN TO statement to create a mapping from the client's Kerberos principal to an existing database user ID. This statement requires DBA authority. For example:

    GRANT KERBEROS LOGIN TO "pchin@MYREALM.COM" 
    AS USER "kerberos-user";

    If you want to connect when a Kerberos principal is used that does not have a mapping, ensure the Guest database user ID exists and has a password. See Creating a default integrated login user.

  6. Ensure the client user has already logged on (has a valid Kerberos ticket-granting ticket) using their Kerberos principal and that the client's Kerberos ticket has not expired. A Windows user logged in to a domain account already has a ticket-granting ticket, which allows them to authenticate to servers, providing their principal has enough permissions.

    A ticket-granting ticket is a Kerberos ticket encrypted with the user's password that is used by the Ticket Granting Service to verify the user's identity.

  7. Connect from the client, specifying the KERBEROS connection parameter (Often KERBEROS=YES, but KERBEROS=SSPI or KERBEROS=GSS-API-library-file can also be used). If the user ID or password connection parameters are specified, they are ignored. For example:

    dbisql -c "KERBEROS=YES;Server=my_server_princ"
 Interactive SQL example
 See also