0

I have some doubts regarding generating a keytab file for SQL server kerberos authentication.

SQL server's SPN is:

MSSQLSvc/myhost:1433@MYDOMAIN.COM

I have created keytab file as: 

ktpass -out "C:\Users\myuser\KerberosConf\MSSQL\myappserver.keytab" -princ MSSQLSvc/myhost:1433@MYDOMAIN.COM -mapUser mydomain\myuser-pass Test@123 -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL

When viewing the keytab it shows the correct SPN as: 

[1] Service principal: MSSQLSvc/myhost:1433@MYDOMAIN.COM KVNO: 18

But while referring the keytab file for authenticating it throws the below error: 

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Users/myuser/KerberosConf/MSSQL/myappserver.keytab refreshKrb5Config is false principal is MSSQLSvc/myhost:1433@MYDOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false Key for the principal MSSQLSvc/myhost:1433@MYDOMAIN.COM not available in C:/Users/myuser/KerberosConf/MSSQL/myappserver.keytab 

[Krb5LoginModule] authentication failed Unable to obtain password from user 

javax.security.auth.login.LoginException: Unable to obtain password from user 
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source) 
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) 
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Please kindly help me to resolve this

Anna
  • 71
  • 1
  • 10
  • The SPN is used by **SQL SERVER**, not by clients. Clients typically have a UPN (user principal name). First they get a TGT (ticket-granting ticket) as proof of identity - what you get when opening a Windows session. Then, for each service that they want to reach (`ldap` for AD, `HTTP` for intranet sites, `MSSQLSvc` for Skull Server...) on each specific host, they obtain a service ticket, and present it to the service to get acccess. – Samson Scharfrichter Jul 22 '19 at 14:33
  • Yelling "it's urgent, can't take the time to read the docs" is not a rational approach when you are dealing with complex security issues. – Samson Scharfrichter Jul 22 '19 at 14:34
  • Apologies. Thanks for your response. I can understand about UPN and SPN. But this was given in documents to connect SQL using keytab. So I am not sure what I am missing in my code. Do I need to mention UPN anywhere in my code to get TGT ? – Anna Jul 23 '19 at 05:31
  • That's confusng. From your PC, your session credentials should be sufficient (Single Sign-On) -- keytabs are used only for batch jobs that need to authentify on-the-fly at startup. Or for middleware services that transmit end user credentials, and must renew their own credentials every few days. Not knowing what you want to do it's difficult to help. – Samson Scharfrichter Jul 23 '19 at 06:35
  • I am trying to authenticate my SQL server using keytab file from my application. If keytab file is used we dont need to pass the password over the network. So I followed the above steps by referring some documents and still no luck. – Anna Jul 23 '19 at 06:57
  • Is that a Windows app that runs under an AD service account (SSO should work), or a Linux app (request an AD service account w/ a Kerberos principal and a keytab) ? In both cases, grant some privs to that account in SQL Server. Java has some specific tweaks required, but you did not mention the language/connector you use. – Samson Scharfrichter Jul 23 '19 at 12:00
  • Thank you again for your response. I am using mssql-jdbc-7.0.0.jre8.jar and my application is running on windows os which uses AD service account. – Anna Jul 23 '19 at 13:37
  • Have a look at https://stackoverflow.com/a/42506620/5162372 >> `javax.security.auth.useSubjectCredsOnly` is critical, and the params for `java.security.debug` are helpful for debugging JAAS config parsing – Samson Scharfrichter Jul 23 '19 at 16:18
  • Thanks a lot. I will try your last feedback. My only doubt is how and where should I create keytab file for SQL server authentication. Sharing a correct syntax would help me and Also keytab should be created on where SQL server is running etc PS : I cant add comment in any other posts since I have less than 50 reputations. – Anna Jul 24 '19 at 05:58

0 Answers0