Saturday, May 25, 2013

20 Microsoft JDBC Driver 4.0 for SQL Server support cross realm Kerberos authentication !! really?

I am not going to discuss how to configure Kerberos authentication for SQL Server here. It is too big of topic and you can find out plenty of resource online. However, I do like to share my experience for working with JDBC drivers for cross realm Kerberos authentication here .

Assuming you have configure your domain controller, KDC, SPN for SQL server properly.

MSFT provided 2 ways for intergrade security in this release of JDBC driver.

  • sqljdbc_auth.dll, –> As you can guess from the name, this would only works on windows platform. You can vote through the Microsoft Connect (Link here), if you like to get it fixed. Base on the current voting, I think there is a little hope it ever get implemented.
  • Java Generic Security Service (JGSS) : From 4.0, JDBC can support pure java Kerberos authentication.


Few things need to be pay attention when use the JGSS.

  • authenticationScheme=JavaKerberos,
  • integratedSecurity=true
  • serverName must set to use FQDN , for example:
  • The SQL Server is not necessary to use default port, Name instance and custom port number is supported

Even, we have set up everything properly but the cross realm still does not work. What went wrong?

What book on line does not tell you is the krb5.conf ‘s default realm must be the same realm as SQL server .

What ?  Ya, it is by design …

So when JDBC send the SPN to the KDC to get the tkt, it would append the krb5.conf’s default realm as part of search parameter. If the default realm is not the SQL server realm, for example, the Linux realm should not be the same realm as windows, the KDC would return the message that it can not find the server in the database.

Is it a bug? I think so. At least, it should not claim the JDBC support Kerberos authentication in cross realm


Base on product team, this behavior is actually by design and not consider as a bug.

Once I changed the default realm to the windows realm in krb5.conf. Kerberos connectivity works fine. But is this really a solution? NO, it is just a hack .

I am really hoping they can fix this soon…




  1. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Training in Chennai Core Java 8 Training in Chennai Core Java 8 Training in Chennai JavaEE Training in Chennai Java EE Training in Chennai

  2. Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training

    Hibernate Online Training Hibernate Online Training Spring Online Training Spring Online Training Spring Batch Training Online Spring Batch Training Online

  3. I really impressed after read this because of some quality work and informative thoughts. I just wanna say thanks for the writer and wish you all the best for coming!. eCommerce Service Providers

  4. I think this is the best article today. Thanks for taking your own time to discuss this topic, I feel happy about that curiosity has increased to learn more about this topic. Keep sharing your information regularly for my future reference.
    Java Courses in chennai

  5. I have been reading for the past two days about your blogs and topics, still on fetching! Wondering about your words on each line was massively effective. Techno-based information has been fetched in each of your topics. Sure it will enhance and fill the queries of the public needs. Feeling so glad about your article. Thanks…!
    selenium training in chennai
    selenium online courses best selenium online training
    selenium testing training
    selenium classes

  6. It’s interesting content and Great work....Most of the part want to analyze their individual scores in the exam. In this process of checking your Exam Latest Result, We support you by giving the Result links to get you All India Sarkari Result in an easy way.



SQL Panda Copyright © 2011 - |- Template created by O Pregador - |- Powered by Blogger Templates