Saturday, May 25, 2013

11 Microsoft JDBC Driver 4.0 for SQL Server support cross realm Kerberos authentication !! really?

I am not going to discuss how to configure Kerberos authentication for SQL Server here. It is too big of topic and you can find out plenty of resource online. However, I do like to share my experience for working with JDBC drivers for cross realm Kerberos authentication here .

Assuming you have configure your domain controller, KDC, SPN for SQL server properly.

MSFT provided 2 ways for intergrade security in this release of JDBC driver.

  • sqljdbc_auth.dll, –> As you can guess from the name, this would only works on windows platform. You can vote through the Microsoft Connect (Link here), if you like to get it fixed. Base on the current voting, I think there is a little hope it ever get implemented.
  • Java Generic Security Service (JGSS) : From 4.0, JDBC can support pure java Kerberos authentication.


Few things need to be pay attention when use the JGSS.

  • authenticationScheme=JavaKerberos,
  • integratedSecurity=true
  • serverName must set to use FQDN , for example:
  • The SQL Server is not necessary to use default port, Name instance and custom port number is supported

Even, we have set up everything properly but the cross realm still does not work. What went wrong?

What book on line does not tell you is the krb5.conf ‘s default realm must be the same realm as SQL server .

What ?  Ya, it is by design …

So when JDBC send the SPN to the KDC to get the tkt, it would append the krb5.conf’s default realm as part of search parameter. If the default realm is not the SQL server realm, for example, the Linux realm should not be the same realm as windows, the KDC would return the message that it can not find the server in the database.

Is it a bug? I think so. At least, it should not claim the JDBC support Kerberos authentication in cross realm


Base on product team, this behavior is actually by design and not consider as a bug.

Once I changed the default realm to the windows realm in krb5.conf. Kerberos connectivity works fine. But is this really a solution? NO, it is just a hack .

I am really hoping they can fix this soon…




  1. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Training in Chennai Core Java 8 Training in Chennai Core Java 8 Training in Chennai JavaEE Training in Chennai Java EE Training in Chennai

  2. Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training

    Hibernate Online Training Hibernate Online Training Spring Online Training Spring Online Training Spring Batch Training Online Spring Batch Training Online

  3. I really impressed after read this because of some quality work and informative thoughts. I just wanna say thanks for the writer and wish you all the best for coming!. eCommerce Service Providers

  4. I think this is the best article today. Thanks for taking your own time to discuss this topic, I feel happy about that curiosity has increased to learn more about this topic. Keep sharing your information regularly for my future reference.
    Java Courses in chennai



SQL Panda Copyright © 2011 - |- Template created by O Pregador - |- Powered by Blogger Templates