Dealing with Kerberos lifetime while using JDBC driver for SQL server

Kent010341 231 Reputation points
2023-01-22T11:21:48.9166667+00:00

Hi, I'm using the JDBC driver for SQL server to make a Kerberos authentication to connect to the SQL server (following this document).

My questions are:

  1. If I add userName and password to the connection string, does the JDBC driver handle the initialization of Kerberos TGT (ticket-granting ticket)?
  2. If the assumption above is right, what will happen if the TGT initialized by the driver expired? Is the TGT lifetime also handled by the driver? (automatically renew or re-initialize?)

I think that this is an issue of a connection pool, I have to know how to deal with the lifetime of Kerberos TGT since the connections in the pool will be reused several times.

Thanks.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,435 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Seeya Xi-MSFT 16,571 Reputation points
    2023-01-23T03:13:26+00:00

    Hi Kent010341,

    Every ticket has a lifetime, which is determined by the policies of the Kerberos realm that generates the ticket.

    Kerberos authentication are:

    • Mutual authentication . The client can validate the identity of the server principal, and the server can validate the client. Throughout this documentation, the two entities are called the "client" and the "server" even though secure network connections can be made between servers.
    • Secure authentication tickets . Only encrypted tickets are used, and passwords are never included in the ticket.
    • Integrated authentication . Once a user is logged on, he does not need to log on again to access any service that supports Kerberos athentication as long as the client ticket has not expired. Every ticket has a lifetime, which is determined by the policies of the Kerberos realm that generates the ticket.

    Please refer to this blog: FAQs Around Kerberos and SQL Server

    When a TGT expires Windows automatically tries to renew it which is limited by Maximum lifetime for user ticket renewal.

    Best regards,

    Seeya


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


  2. Seeya Xi-MSFT 16,571 Reputation points
    2023-01-24T09:07:32.1833333+00:00

    Hi Kent010341,

    But if I'm using the JDBC driver for SQL server running with a Java application on a Linux OS, will the TGT also be renewed automatically? And what will happen if the limitation of renewal is exceeded?

    Kerberos logins operate with a “ticket” that has a finite expiry time (24 hours) and a finite renewal time (7 days). The presence of a valid ticket is used to give you access to your files. If your ticket expires, you will need to renew it. If your ticket exceeds the renewal limit, you will need to initialize a new ticket. For details about how Kerberos functions, read this:

    https://cat.pdx.edu/platforms/linux/user-environment/kerberos/whatis/

    In addition, please refer to this link: Kerberos connection using principal name, password, and realm

    When userName and password are set along with integratedSecurity=true; and the authenticationScheme=JavaKerberos; property, the connection is established with a value of userName as the Kerberos Principal along with the password supplied.

    Best regards,

    Seeya


  3. Kent010341 231 Reputation points
    2023-02-08T03:14:15.6766667+00:00

    I've run some experiments on this question, and this is my conclusion:

    • If the userName and password are provided in the connection string, the JDBC driver for SQL server will try to initialize a new TGT whenever it's about to expire.
    • If using kinit to manually initialize a TGT, the JDBC driver for SQL server won't be able to initialize a new TGT after the TGT expires, and the connection will disconnect.

    Therefore, in order to make sure the TGT lifetime won't affect the application, provide userName and password are needed.

    Experiments detail: https://hackmd.io/@kent010341/ryS6TTiFs

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.