Kerberos network-based authentication is a single sign on feature which allows Kerberos clients authenticated with Kerberos system, to be able to connect to any application that supports Kerberos authentication. With one centralized password stored, you need not specify a password to connect to an application that supports Kerberos.
Kerberos version 5, the version supported by SAP ASE, also provides a feature called credential delegation or ticket forwarding, which allows a Kerberos client to delegate the credential when connecting to a server, allowing the server to initiate Kerberos authentication for further connections to other servers on behalf of Kerberos client.
The credential delegation feature is currently only certified with MIT Kerberos GSSAPI libraries version 4.x and later. Clients must obtain a delegatable credential from the Kerberos system (usingthe kinit -f option on UNIX systems) before connecting to SAP ASE.
A Kerberos client connected to SAP ASE can request a Remote Procedure Call (RPC) to SAP ASE, and for general distributed query processing requests to a remote Adapter Server through CIS by using the Kerberos credential delegation feature. Kerberos authentication is not supported for site handler based remote server connection.
sp_serveroption [server, optname, optvalue]
sp_serveroption s2, “security mechanism”, csfkrb5