Kerberos authentication

The Kerberos login feature allows you to maintain a single user ID and password for database connections, operating system, and network logins. The Kerberos login is more convenient for users and permits a single security system for database and network security. Its advantages include:

  • The user does not need to provide a user ID or password to connect to the database.

  • Multiple users can be mapped to a single database user ID.

  • The name and password used to log in to Kerberos do not have to match the database user ID and password.

Kerberos is a network authentication protocol that provides strong authentication and encryption using secret-key cryptography. Users already logged in to Kerberos can connect to a database without providing a user ID or password.

Kerberos can be used for authentication. To delegate authentication to Kerberos you must:

  • configure the server and database to use Kerberos logins

  • create mapping between the user ID that logs in to the computer or network, and the database user

Caution

There are important security implications to consider when using Kerberos logins as a single security solution. See Security concerns: Copied database files.

SQL Anywhere does not include the Kerberos software; it must be obtained separately. The following components are included with the Kerberos software:

  • Kerberos libraries   These are referred to as the Kerberos Client or GSS (Generic Security Services)-API runtime library. These Kerberos libraries implement the well-defined GSS-API. The libraries are required on each client and server computer that intends to use Kerberos. The built-in Windows SSPI interface can be used instead of a third-party Kerberos client library if you are using Active Directory as your KDC.

    SSPI can only be used by SQL Anywhere clients in the Kerberos connection parameter. SQL Anywhere database servers cannot use SSPI—they need a supported Kerberos client other than SSPI.

  • A Kerberos Key Distribution Center (KDC) server   The KDC functions as a storehouse for users and servers. It also verifies the identification of users and servers. The KDC is typically installed on a server computer not intended for applications or user logins.

SQL Anywhere supports Kerberos authentication from DBLib, ODBC, OLE DB, and ADO.NET clients, and Sybase Open Client and jConnect clients. Kerberos authentication can be used with SQL Anywhere transport layer security encryption, but SQL Anywhere does not support Kerberos encryption for network communications.

Windows uses Kerberos for Windows domains and domain accounts. Active Directory Windows Domain Controllers implement a Kerberos KDC. A third-party Kerberos client or runtime is still required on the database server computer for authentication in this environment, but the Windows client computers can use the built-in Windows SSPI interface instead of a third-party Kerberos client or runtime. See Use SSPI for Kerberos logins on Windows.


Kerberos clients
Set up Kerberos authentication
Configure SQL Anywhere to use Kerberos
Connect from a Sybase Open Client or jConnect application
Create Kerberos login mappings
Revoke Kerberos login permission
Use SSPI for Kerberos logins on Windows
Troubleshooting Kerberos connections
Security concerns: Setting temporary public options for added security
Security concerns: Copied database files