October 26, 2021 at 2:23 pm
Hi All,
I have a need to establish a SQL Server Kerberos authentication from a RedHat Linux application server. In my case, at the time a customer builds this Linux application server, I do not know what type of database servers a user will be connecting to nor do I know what datacenter or domain these database servers reside in.
Today, I can establish a SQL Server Windows authentication using NTLM or NTLMv2 against any SQL Server in any domain. What I would like to do is to establish a Kerberos authentication against any number of servers in any domains.
My questions and hopefully someone has experiences with this. Can I make a SQL Server Kerberos authentication on my Linux box without having the need to be a member of every domain servers that I need a to connect to for Kerberos? Most likely the database servers I will be connecting to are scattered in all different datacenters and in many different domains.
Would having the Kerberos server info (KRB, REALM, Encryption type) be enough for me for a JDBC connection? I would ask the user for (hostname, port, domain name, domain user and password) to get enough information to get a krb ticket and make a connection?
If you have done this before or have any references that can help, I would very much appreciate it.
Regards,
Louis Lam.
October 26, 2021 at 3:07 pm
NOTE - I am not an LDAP expert, but the following is my understanding of how the authentication chain works.
I think this was answered previously and my answer was that you should be able to if you create a trust between all of your LDAP domains. Otherwise, I am not aware of any method to do this.
The problem is that in order to authenticate, you need the machine to be trusted and it becomes trusted by joining the domain. A computer, as far as I know, can only be a member of 1 domain at a time. If the LDAP server doesn't trust the computer, it won't trust the credentials and thus will fail to authenticate unless the credentials are in the computers cache.
Now, as I am just a random guy on the internet, my advice to you would be to test it. You have the servers, so give it a shot and see what happens. Does it let you authenticate from the JDBC connection if you give the domain information? My expectation is that it won't UNLESS there is a trust between the domains, but I may not be correct on this. It has been a long time since I dealt with anything LDAP related and things may have changed since I first started with LDAP, but when I was doing some LDAP stuff, we needed to create trusts in the forest before domain B would allow authentication from a computer joined to domain A.
The above is all just my opinion on what you should do.
As with all advice you find on a random internet forum - you shouldn't blindly follow it. Always test on a test server to see if there is negative side effects before making changes to live!
I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.
November 1, 2021 at 3:25 pm
Thank you Brian, based on my experiences with SQL Server Kerberos setup for Windows OS, I agree with your comment as well. We have also done this with MongoDB setup where we can actually get Kerberos authentication against the MIT Kerberos server or Windows AD. We actually have to do a kinit to get the ticket and then can connect. I was hoping something like that might work for SQL server without having my Linux client being part of every possible domains.
We are going to reach out to Microsoft and paid for consultation to get their official support.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply