Hello, I am trying to connect to the SQL server via Kerberos authentication by following this document, and I have two questions about the requirement of Kerberos authentication.
The first question
In the step "Service principal names" I follow the document "Register a Service Principal Name for Kerberos Connections" mentioned in this step, which tells me what the necessary permissions are.
However, after setting up the permissions, the automatic SPN registration still failed.
The process I setting up the permissions is:
- Create a user
mssql-startup
in the OU of my domain with Active Directory Users and Computers.
- Right-click the SQL server computer and select Properties, and select the Security tab and click Advanced, and click Add
- Click Select a principal and enter the startup account
mssql-startup
, then click OK.
- Select "Validated write to service principal name", "Read servicePrincipalName" and "Write servicePrincipalName", then click OK.
- Click OK twice, and close Active Directory Users and Computers.
- In the SQL server computer, open Sql Server Configuration Manager, right click the SQL Server, login with the startup account, then click OK to make it restart. (sorry for the language isn't English)
- In the log of the SQL server, it says that the SPN failed to register.
Is there any step wrong or missing?
The second question
The document also mentions that I can add a userName
, and password
to the connection string to make a Kerberos connection.
That confuse me, what do I really need to make a Kerberos authentication?
Run kinit
before the Kerberos authentication, specifying configuration files, or adding userName
, and password
to the connection string?
Therefore, I try these tests (Note: the SQL server startup account is Administrator due to question 1):
It seems in order to make a Kerberos connection, I only need to run kinit
or specify userName
and password
to the connection string.
I know not specifying the JAAS configuration file will make it use the default value,
and the default behavior of not specifying the Kerberos configuration file (krb5.conf) seems like is pointing to the default krb5.conf (e.g., /etc/krb5.conf in RHEL 8).
However, when I run a Java application (I use Camunda for testing) deployed with Docker container,
it seems like adding userName
, and password
to the connection string (test case 7) is enough to make a Kerberos authentication since there's no krb5.conf in the container.
Does that mean if I specify userName
(contains realm) and password
to the connection string, I don't need to do anything else for Kerberos Authentication?
I'm just worried that it run successfully by coincidence (something I don't know has been set up properly).