Enabling Kerberos Authentication for SQL Server in Applications Manager

Enabling Kerberos Authentication for SQL Server in Applications Manager

I. How to implement Kerberos Authentication for Applications Manager's MS SQL Back-End Database?

1. Stop Applications Manager service. Open Applications Manager's home directory in the command prompt and run the below commands one by one:
For Windows installation:
  1. shutdownApplicationsManager.bat
  2. shutdownApplicationsManager.bat -force
For Linux installation:
  1. shutdownApplicationsManager.bat
  2. shutdownApplicationsManager.bat -force
2. Go to <AppManager_HOME>\working\conf directory and and take a backup of the database_params.conf file.
3. Go to <AppManager_HOME>\working\conf\MSSQL\KerberosAuth\MicrosoftJDBC directory and copy the  database_params.conf to <APM_HOME>\working\conf directory.
4. Open the database_params.conf file from <AppManager_HOME>\working\conf directory and update the Kerberos protocol enabled SQL server credentials: host name (FQDN),Port, instance name in JDBC url.
5. To use keyTab file for kerberos authentication
            i) Create a keyTab file in SQL Server installed machine using the steps mentioned at the bottom of this page.
            ii) Copy the created keyTab file to Applications Manager machine (Preferably to this location: <AppManager_Home>/working/conf/KerberosConfigurations/MSSQL/)
            iii) Open <AppManager_HOME>\working\conf\KerberosConfigurations\MSSQL\MicrosoftJDBCDriver\login.conf file:
                  a. Update the keyTab file location and SQL Server's principal name(SPN).
                  b. login.conf file entries should be as below for authenticating via keyTab file.
SQLJDBCDriver {
                com.sun.security.auth.module.Krb5LoginModule required
                useTicketCache=false
                doNotPrompt=true
                useKeyTab=true
                keyTab="C://Users//kerbuser.MSSQLKERBEROS//Desktop//kerberos//AppManager14//working//conf//KerberosConfigurations//MSSQL//krb5.keytab"
                principal="MSSQLSvc/mssql-kerb.xyz.com:1433@XYZ.COM"

                storeKey=false

                debug=false;
};
 6. To use ticketCache for kerberos authentication:
            i) Run kinit program for the user account to which kerberos is enabled using the steps mentioned at the bottom of the page. By default, the ticket cache file will be created in the location {user.home}{file.separator}krb5cc_{user.name}
            ii) Copy the created ticket cache file to Applications Manager machine (Preferably to this location: <AppManager_Home>/working/conf/KerberosConfigurations/MSSQL/)
            iii) Open <AppManager_Home>\working\conf\KerberosConfigurations\MSSQL\MicrosoftJDBCDriver\login.conf file:
                  a. Update the ticket cache file location and SQL Server's principal name(SPN).
                  b. login.conf file entries should be as below for authenticating via ticketCache:
SQLJDBCDriver {
            com.sun.security.auth.module.Krb5LoginModule required 
            useTicketCache=true 
            ticketCache="C://Users//kerbuser.MSSQLKERBEROS//Desktop//kerberos//AppManager14//working//conf//KerberosConfigurations//MSSQL//krb5cc_kerberosuser"
            doNotPrompt=true 
            useKeyTab=false 
            principal="kerbuser@XYZ.COM" 
            storeKey=false
            debug=false;
}; 
7. To connect via password, update the correct username and password in the database_params.conf file.  
            a) Refer to this link to update the username & password.
             b) login.conf file entries should be as below for authenticating via password:
 SQLJDBCDriver {
            com.sun.security.auth.module.Krb5LoginModule required
            useTicketCache=false
            doNotPrompt=false
            useKeyTab=false
            principal="MSSQLSvc/mssql-kerb.xyz.com:1433@XYZ.COM"
            storeKey=false
            debug=true;
 };
8. Open <AppManager_Home>\working\jre\lib\security\java.security file and check line number 141
#login.config.url.1=file:${user.home}/.java.login.config
Add the below entry after this line:
login.config.url.1=file:<AppManager_Home>/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/login.conf
For example:
login.config.url.1=file:C:/Users/kerbuser.MSSQLKERBEROS/Desktop/kerberos/AppManager14/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/login.conf
 For more details, click this link
 9. Open <AppManager_Home>\working\conf\KerberosConfigurations\krb5.ini file and update the domain details. Refer to the attached the sample files.
 10. Now start Applications Manager and check kerberos authentication using below query in the respective SQL server. The auth_scheme should be returned as "KERBEROS". 
  1. SELECT b.session_id,b.login_name, a.auth_scheme, b.host_name,program_name from sys.dm_exec_connections as a join sys.dm_exec_sessions as b on a.session_id = b.session_id order by  program_name,host_name
         (or)
  1. Use MSSQLDebug.bat to check kerberos connection.
To revert back from kerberos authentication replace the database_params.conf file with the backup file in <AppManager_Home>\working\conf directory and restart Applications Manager.

II. How to implement Kerberos Authentication for MS SQL Monitors?
1. Follow steps 5,6,7,8,9 mentioned in the above section. Because monitors refers the same configuration files for kerberos connection. Restart required if you change anything on java.security file (Step 7)
2. For mssql monitors to use kerberos authentication we have provided a new option 'Enable Kerberos Authentication' in add monitor page. 
3. Fully Qualified Domain Name should be entered for hostname should be entered. (For example : mssql-kerberos-dc1.mssqlkerberos.com)
4. If you configured the monitors to use ticketCache or keyTab then password can be passed empty for this case. 
5. Add the monitor and check for the below print in stdout file
MSSQL DataCollection : KERBEROS Authentication => Going to connect with MSSQL using microsoft JDBC driver (KERBEROS) for resource id

How to create a keytab file?
  1. ktpass -princ MSSQLSvc/mssql-kerb.xyz.com:1433@XYZ.COM -mapuser
  2. kerbuser@XYZ.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass xxxxxxx -out C:\Users\kerberosuser\krb5.keytab


How to create a ticket to use Ticket Cache for Kerberos Authentication?


For more details, click here.  

                  New to ADSelfService Plus?