Enabling Kerberos Authentication for SQL Server in Applications Manager

Enabling Kerberos Authentication for SQL Server in Applications Manager

Step ❶ :  Register & Verify the SPN

An SPN (Service Principal Name) links your SQL Server service to your chosen account.

Where to Run

Run the following commands on the Domain Controller using a Command Prompt as Administrator.

Verify Existing SPN

setspn -L YOURDOMAIN\AccountName

Add SPN (If Missing)

setspn -A MSSQLSvc/yourhost.domain.com:1433 YOURDOMAIN\AccountName
Note:
  • Replace yourhost.domain.com with the actual SQL Server FQDN
  • Replace AccountName with the account running the SQL Server service

Step ❷ :  Generate & Verify the Keytab File

A Keytab file allows Applications Manager to authenticate automatically with SQL Server.

2.1 Generate the Keytab File

Where to Run

Log in to the Domain Controller using a Domain Administrator account.

Choose one of the options below based on your SQL Server configuration.

Use this if SQL Server runs under a dedicated service account (e.g., sql_service).

ktpass -out C:\ms_sql.keytab ^
-mapuser YOUR_SERVICE_ACCOUNT@YOURDOMAIN.COM ^
-princ MSSQLSvc/SQL_SERVER_FQDN:1433@YOURDOMAIN.COM ^
-pass ACCOUNT_PASSWORD ^
-ptype KRB5_NT_PRINCIPAL ^
-crypto AES256-SHA1 ^
-mapOp set

Option B: SQL Server Uses the Administrator Account

Use this if SQL Server runs under the default Administrator account.

ktpass -out C:\ms_sql.keytab ^
-mapuser Administrator@YOURDOMAIN.COM ^
-princ MSSQLSvc/SQL_SERVER_FQDN:1433@YOURDOMAIN.COM ^
-pass ADMIN_PASSWORD ^
-ptype KRB5_NT_PRINCIPAL ^
-crypto AES256-SHA1 ^
-mapOp set
Note:
  • Replace YOURDOMAIN.COM with the actual domain name in UPPERCASE
  • Replace SQL_SERVER_FQDN with the full hostname of the SQL Server
  • Replace ACCOUNT_PASSWORD with the Active Directory password of the account

Example:

sql01.yourdomain.com

2.2 Move the Keytab File to Applications Manager

The command above creates the file: C:\ms_sql.keytab

Copy the File To

<APM_HOME>\working\conf\KerberosConfigurations\MSSQL\

2.3 Verify the Keytab File

Where to Run

Run this on the server where Applications Manager is installed.

cd <APM_HOME>\working\jre\bin\

Verify Authentication

kinit.exe -k -t ..\..\conf\KerberosConfigurations\MSSQL\ms_sql.keytab YOUR_PRINCIPAL_NAME@YOURDOMAIN.COM

Use the same principal name specified after -princ during ktpass.

Expected Result

Result Meaning
No error Verification successful
Preauthentication failed Incorrect password used while generating keytab

If authentication fails:

  1. Delete the existing keytab
  2. Regenerate it using the correct account and password

Step ❸ :  Configure the login.conf File

3.1 Locate the File

Navigate to:

<APM_HOME>\working\conf\KerberosConfigurations\MSSQL\MicrosoftJDBCDriver\

3.2 Edit login.conf

Open the file using Notepad or any text editor. Choose one of the following configurations.

SQLJDBCDriver {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/working/conf/KerberosConfigurations/MSSQL/ms_sql.keytab"
  principal="YOUR_PRINCIPAL_NAME@YOURDOMAIN.COM"
  doNotPrompt=true
  storeKey=false
  useTicketCache=false
  debug=false;
};

Option B: Using Ticket Cache

Generate Ticket Cache

Run the following command on the Applications Manager server:

kinit -c <APM_HOME>\working\conf\KerberosConfigurations\MSSQL\krb5cc_user YourUser@YOURDOMAIN.COM

Enter the domain password when prompted.

Warning: Kerberos tickets expire based on Active Directory policy. Regenerate the ticket before expiry.

Update login.conf

SQLJDBCDriver {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  ticketCache="/working/conf/KerberosConfigurations/MSSQL/krb5cc_user"
  principal="YourUser@YOURDOMAIN.COM"
  doNotPrompt=true
  useKeyTab=false
  debug=false;
};

Important Rules

Path Format

Use forward slashes (/) in file paths.

Correct:

C:/AppManager/working/conf/

Case Sensitivity

The domain name must be uppercase.

Correct:

@YOURDOMAIN.COM

3.3 Register login.conf

Open:

<APM_HOME>\working\jre\lib\security\java.security

Find:

#login.config.url.1=file:${user.home}/.java.login.config

Add the following line below it:

login.config.url.1=file:/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/login.conf

Step ❹ :  Configure apmKrb5.conf

Navigate to:

<APM_HOME>\working\conf\KerberosConfigurations\

Create a file named:

apmKrb5.conf
Important: The K in Krb5 must be uppercase.

Option A: Single Domain Setup

Use this when Applications Manager and SQL Server belong to the same domain.

[libdefaults]
  default_realm = YOURDOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 1

[realms]
  YOURDOMAIN.COM = {
    kdc = dc-hostname.yourdomain.com
    admin_server = dc-hostname.yourdomain.com
    default_domain = yourdomain.com
  }

[domain_realm]
  .yourdomain.com = YOURDOMAIN.COM
  yourdomain.com = YOURDOMAIN.COM

Option B: Cross-Domain / Trust Setup

Use this when Applications Manager and SQL Server belong to different trusted domains.

[libdefaults]
  default_realm = APM-DOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 1

[realms]
  SQL-DOMAIN.COM = {
    kdc = sql-dc.sql-domain.com
    admin_server = sql-dc.sql-domain.com
  }

  APM-DOMAIN.COM = {
    kdc = apm-dc.apm-domain.com
    admin_server = apm-dc.apm-domain.com
  }

[domain_realm]
  .sql-domain.com = SQL-DOMAIN.COM
  .apm-domain.com = APM-DOMAIN.COM

[capaths]
  APM-DOMAIN.COM = {
    SQL-DOMAIN.COM = .
  }

  SQL-DOMAIN.COM = {
    APM-DOMAIN.COM = .
  }

Step ❺ :  Activate Kerberos for the Back-End Database

5.1 Stop Applications Manager

Windows

cd <APM_HOME>

shutdownApplicationsManager.bat
shutdownApplicationsManager.bat -force

Linux

cd <APM_HOME>

sh shutdownApplicationsManager.sh
sh shutdownApplicationsManager.sh -force

5.2 Backup & Replace Configuration

Navigate to:

<APM_HOME>\working\conf\

Backup Existing File

Rename: database_params.conf

To: database_params.conf.bak

Copy Kerberos Template

Copy:

<APM_HOME>\working\conf\MSSQL\KerberosAuth\MicrosoftJDBC\database_params.conf

Paste into:

<APM_HOME>\working\conf\

5.3 Update Connection Details

Edit the new database_params.conf and update:

Parameter Description
SQL_SERVER_FQDN SQL Server FQDN
PORT SQL Server port
DATABASE NAME Database name

5.4 Start & Verify

Start Applications Manager.

Once the web console is accessible, log in to Applications Manager and navigate to:

Settings → Tools → Support → Database Summary

Now execute the following SQL query:

SELECT
  b.session_id,
  b.login_name,
  a.auth_scheme,
  b.host_name,
  program_name
FROM sys.dm_exec_connections AS a
JOIN sys.dm_exec_sessions AS b
  ON a.session_id = b.session_id
ORDER BY program_name, host_name;

You can also use the following script located under: APPMANAGER_HOME/bin/troubleshooting/

MSSQLDebug.bat

to verify Kerberos connectivity.

Reverting the Configuration (If Needed)

If Applications Manager fails to start or connect:

  1. Delete the modified database_params.conf
  2. Rename database_params.conf.bak back to database_params.conf
  3. Restart Applications Manager

This restores standard password-based authentication.




          New to M365 Manager Plus?
          New to M365 Manager Plus?
            New to RecoveryManager Plus?
            New to RecoveryManager Plus?
              New to Exchange Reporter Plus?
              New to Exchange Reporter Plus?
                New to SharePoint Manager Plus?
                New to SharePoint Manager Plus?
                  See all integrations
                  New to ADManager Plus?
                  See all integrations
                  New to ADManager Plus?

                    New to ADSelfService Plus?

                    Start your free trial
                    Start your free trial
                      Related Products