Enabling Kerberos Authentication for SQL Server in Applications Manager
I. How to implement Kerberos Authentication for Applications Manager's MS SQL Back-End Database?
1. Stop Applications Manager service. Open Applications Manager's home directory in the command prompt and run the below commands one by one:
For Windows installation:
- shutdownApplicationsManager.bat
- shutdownApplicationsManager.bat -force
For Linux installation:
- shutdownApplicationsManager.bat
- shutdownApplicationsManager.bat -force
2. Go to <AppManager_HOME>\working\conf directory and and take a backup of the database_params.conf file.
3. Go to <AppManager_HOME>\working\conf\MSSQL\KerberosAuth\MicrosoftJDBC directory and copy the database_params.conf to <APM_HOME>\working\conf directory.
4. Open the database_params.conf file from <AppManager_HOME>\working\conf directory and update the Kerberos protocol enabled SQL server credentials: host name (FQDN),Port, instance name in JDBC url.
5. To use keyTab file for kerberos authentication
i) Create a keyTab file in SQL Server installed machine using the steps mentioned at the bottom of this page.
ii) Copy the created keyTab file to Applications Manager machine (Preferably to this location: <AppManager_Home>/working/conf/KerberosConfigurations/MSSQL/)
iii) Open <AppManager_HOME>\working\conf\KerberosConfigurations\MSSQL\MicrosoftJDBCDriver\login.conf file:
a. Update the keyTab file location and SQL Server's principal name(SPN).
b. login.conf file entries should be as below for authenticating via keyTab file.
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
doNotPrompt=true
useKeyTab=true
keyTab="C://Users//kerbuser.MSSQLKERBEROS//Desktop//kerberos//AppManager14//working//conf//KerberosConfigurations//MSSQL//krb5.keytab"
principal="MSSQLSvc/mssql-kerb.xyz.com:1433@XYZ.COM"
storeKey=false
debug=false;
};
6. To use ticketCache for kerberos authentication:
i) Run kinit program for the user account to which kerberos is enabled using the steps mentioned at the bottom of the page. By default, the ticket cache file will be created in the location {user.home}{file.separator}krb5cc_{user.name}
ii) Copy the created ticket cache file to Applications Manager machine (Preferably to this location: <AppManager_Home>/working/conf/KerberosConfigurations/MSSQL/)
iii) Open <AppManager_Home>\working\conf\KerberosConfigurations\MSSQL\MicrosoftJDBCDriver\login.conf file:
a. Update the ticket cache file location and SQL Server's principal name(SPN).
b. login.conf file entries should be as below for authenticating via ticketCache:
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
ticketCache="C://Users//kerbuser.MSSQLKERBEROS//Desktop//kerberos//AppManager14//working//conf//KerberosConfigurations//MSSQL//krb5cc_kerberosuser"
doNotPrompt=true
useKeyTab=false
principal="kerbuser@XYZ.COM"
storeKey=false
debug=false;
};
7. To connect via password, update the correct username and password in the database_params.conf file.
a) Refer to this link to update the username & password.
b) login.conf file entries should be as below for authenticating via password:
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
doNotPrompt=false
useKeyTab=false
principal="MSSQLSvc/mssql-kerb.xyz.com:1433@XYZ.COM"
storeKey=false
debug=true;
};
8. Open <AppManager_Home>\working\jre\lib\security\java.security file and check line number 141
#login.config.url.1=file:${user.home}/.java.login.config
Add the below entry after this line:
login.config.url.1=file:<AppManager_Home>/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/login.conf
For example:
login.config.url.1=file:C:/Users/kerbuser.MSSQLKERBEROS/Desktop/kerberos/AppManager14/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/login.conf
For more details, click this link.
9. Open <AppManager_Home>\working\conf\KerberosConfigurations\krb5.ini file and update the domain details. Refer to the attached the sample files.
10. Now start Applications Manager and check kerberos authentication using below query in the respective SQL server. The auth_scheme should be returned as "KERBEROS".
- SELECT b.session_id,b.login_name, a.auth_scheme, b.host_name,program_name from sys.dm_exec_connections as a join sys.dm_exec_sessions as b on a.session_id = b.session_id order by program_name,host_name
(or)
- Use MSSQLDebug.bat to check kerberos connection.
To revert back from kerberos authentication replace the database_params.conf file with the backup file in <AppManager_Home>\working\conf directory and restart Applications Manager.
II. How to implement Kerberos Authentication for MS SQL Monitors?
1. Follow steps 5,6,7,8,9 mentioned in the above section. Because monitors refers the same configuration files for kerberos connection. Restart required if you change anything on java.security file (Step 7)
2. For mssql monitors to use kerberos authentication we have provided a new option 'Enable Kerberos Authentication' in add monitor page.
3. Fully Qualified Domain Name should be entered for hostname should be entered. (For example : mssql-kerberos-dc1.mssqlkerberos.com)
4. If you configured the monitors to use ticketCache or keyTab then password can be passed empty for this case.
5. Add the monitor and check for the below print in stdout file
MSSQL DataCollection : KERBEROS Authentication => Going to connect with MSSQL using microsoft JDBC driver (KERBEROS) for resource id
How to create a keytab file?
- ktpass -princ MSSQLSvc/mssql-kerb.xyz.com:1433@XYZ.COM -mapuser
- kerbuser@XYZ.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass xxxxxxx -out C:\Users\kerberosuser\krb5.keytab
How to create a ticket to use Ticket Cache for Kerberos Authentication?
For more details, click here.
New to ADSelfService Plus?
Related Articles
How to enable Kerberos Authentication for Applications Manager's MS SQL backend database?
Follow the steps given below to enable Kerberos authentication for MS SQL backend database: 1. Stop Applications Manager service. Open Applications Manager Home directory in command prompt and run the below commands one by one. For ...Authentication Methods in Applications Manager
Authentication involves validating an incoming user to facilitate the access to a specific resource. There are various authentication methods that you can use - based on the requirements and usage. In recent times, numerous organizations are ...Troubleshooting Server Authentication Failures in Applications Manager
If you encounter authentication failures in server monitors in Applications Manager, refer and choose the links from the below list to troubleshoot the issue. You can choose the troubleshooting steps based on the type of authentication failure. ...Issues while installing or starting Applications Manager with Microsoft SQL Server backend database
Problem: Unable to install or start Applications Manager using Microsoft SQL Server database as backend. Solution: Follow the below troubleshooting steps to resolve the issue: 1. On the Microsoft SQL server host, go to Start -> All Programs -> ...How do I migrate the MS SQL DB used by Applications Manager to another MS SQL server?
Follow the steps given below to migrate MS SQL database of Applications Manager to another MS SQL server: 1. Shutdown Applications Manager completely before the database migration. a. Stop Applications Manager service. b. Shutdown Applications ...