I am not going to discuss how to configure Kerberos authentication for SQL Server here. It is too big of topic and you can find out plenty of resource online. However, I do like to share my experience for working with JDBC drivers for cross realm Kerberos authentication here .
Assuming you have configure your domain controller, KDC, SPN for SQL server properly.
MSFT provided 2 ways for intergrade security in this release of JDBC driver.
- sqljdbc_auth.dll, –> As you can guess from the name, this would only works on windows platform. You can vote through the Microsoft Connect (Link here), if you like to get it fixed. Base on the current voting, I think there is a little hope it ever get implemented.
- Java Generic Security Service (JGSS) : From 4.0, JDBC can support pure java Kerberos authentication.
Few things need to be pay attention when use the JGSS.
- serverName must set to use FQDN , for example: Host1.domain.com
- The SQL Server is not necessary to use default port, Name instance and custom port number is supported
Even, we have set up everything properly but the cross realm still does not work. What went wrong?
What book on line does not tell you is the krb5.conf ‘s default realm must be the same realm as SQL server .
What ? Ya, it is by design …
So when JDBC send the SPN to the KDC to get the tkt, it would append the krb5.conf’s default realm as part of search parameter. If the default realm is not the SQL server realm, for example, the Linux realm should not be the same realm as windows, the KDC would return the message that it can not find the server in the database.
Is it a bug? I think so. At least, it should not claim the JDBC support Kerberos authentication in cross realm
Base on product team, this behavior is actually by design and not consider as a bug.
Once I changed the default realm to the windows realm in krb5.conf. Kerberos connectivity works fine. But is this really a solution? NO, it is just a hack .
I am really hoping they can fix this soon…