1

I am trying to connect to sql server by using keytab and it throws below error

com.microsoft.sqlserver.jdbc.SQLServerException: Cannot login with Kerberos principal DOMAIN\User, check your credentials. Kerberos Login failed: Integrated authentication failed. ClientConnectionId:6f436f49-b0bf-441e-bab3-e6af86ac8361 due to javax.security.auth.login.LoginException (Cannot get any of properties: [password, PASSWORD] from con properties not available to garner authentication information from the user) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:108) at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:399) at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4049) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3157) at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:82) at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3121) at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7151) at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2478) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2026) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1687) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1528) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:866) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:569) at java.sql.DriverManager.getConnection(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at com.adventnet.appmanager.server.mssql.datacollection.MSSQLKerberosAuthenticationTest.main(MSSQLKerberosAuthenticationTest.java:47) Caused by: javax.security.auth.login.LoginException: Cannot get any of properties: [password, PASSWORD] from con properties not available to garner authentication information from the user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:87) ... 15 more

When I try with password it is connected successfully.

String home = System.getProperty("user.dir");
String  filePath = home + File.separator + "conf" + File.separator + "KerberosConfigurations" + File.separator + "MSSQL";// NO I18N
System.setProperty("java.security.krb5.debug", "true");
System.setProperty("java.security.auth.login.config", filePath+File.separator+"login.conf");
System.setProperty("java.security.krb5.conf", filePath+File.separator+"krb5.ini");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
String connectionUrl = "jdbc:sqlserver://"+hostName+":"+port+";databaseName=master;sendStringParametersAsUnicode=true;applicationName=test;"; //NO I18N
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
Properties dbConProp = new Properties();
dbConProp.put("integratedSecurity", "true");
dbConProp.put("authenticationScheme", "JavaKerberos");
dbConProp.put("instanceName",instanceName);
dbConProp.put("user",user);
//dbConProp.put("password",pwd);
con = DriverManager.getConnection(connectionUrl,dbConProp);

Does password in connection properties is mandatory for kerberos connection? Keytab alone not sufficient ?

Thom A
  • 88,727
  • 11
  • 45
  • 75
Anna
  • 71
  • 1
  • 10
  • 1
    If you are using Kerboros, you don't supply the Username or Password; the connection uses the credentials of the already authenticated Windows Account the application is running as. – Thom A Jul 11 '19 at 09:54

1 Answers1

2

The client needs to be authenticated to the domain first. e.g. on Linux and MacOS using MIT Kerberos, you can use the kinit command to get a kerberos ticket.

Once granted you can then authenticate to Sql via that ticket without supplying anything else.

[Update]

If your host and target are both on a Windows domain and they're on the same domain, then you should already be good to go.

That said, Sql will only allow you to authenticate using Kerberos if the service account that is running the engine has privileges to create a Service Principal Name (or a user with appropriate rights has created a SPN with the setSPN command).

You can tell if Sql's been able to register the SPN by looking at the Sql Error Log for text like

The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/MySqlServerHostName:1433 ] for the SQL Server service

There's a lot to Kerberos than can be covered in just a StackOverflow Answer.

Rachel Ambler
  • 1,440
  • 12
  • 23
  • Thanks for replying. Can you please tell me when keytab will be supplied? I mean these configurations System.setProperty("java.security.krb5.debug", "true"); System.setProperty("java.security.auth.login.config", filePath+File.separator+"login.conf"); System.setProperty("java.security.krb5.conf", filePath+File.separator+"krb5.ini"); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); – Anna Jul 11 '19 at 13:40
  • You didn't specify an OS, so here's something I found for Windows: https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/ – Rachel Ambler Jul 11 '19 at 13:43
  • Thank you for that. Yes it is windows.. But my doubt is just by throwing kinit and without using keytab can we connect to SQL server? – Anna Jul 11 '19 at 13:51
  • Yes, if your keytab is generated correctly. The page I gave you has full instructions to generate the keytab – Rachel Ambler Jul 11 '19 at 13:53
  • Thanks for responding. My question is without using keytab can we connect to SQL server just by throwing kinit command. – Anna Jul 12 '19 at 05:50
  • Yes - That was my original answer. This all said, if both servers are on the same domain then you don't need to worry about it anyway. – Rachel Ambler Jul 12 '19 at 09:32
  • Thanks Rachel. Can you check this post and input your thoughts. https://stackoverflow.com/questions/57051842/spn-not-available-in-the-keytab-file – Anna Jul 16 '19 at 07:18