How to enable Kerberos Authentication for Applications Manager's MS SQL backend database?

How to enable Kerberos Authentication for Applications Manager's MS SQL backend database?

Follow the steps given below to enable Kerberos authentication for MS SQL backend database:

1. Stop Applications Manager service. Open Applications Manager Home directory in command prompt and run the below commands one by one.

            For Windows installation,

            shutdownApplicationsManager.bat
            shutdownApplicationsManager.bat -force

            For Linux installation,

            shutdownApplicationsManager.bat
            shutdownApplicationsManager.bat -force

2. Go to <Applications Manager Home>\working\conf directory and take a backup of database_params.conf file.

3.Go to <Applications Manager Home>\working\conf\MSSQL\KerberosAuth\MicrosoftJDBC directory,  copy database_params.conf file and paste it under <Applications Manager Home>\working\conf directory.

4.Open database_params.conf file from <Applications Manager Home>\working\conf directory and update the Kerberos protocol enabled SQL server credentials such as host name (FQDN), Port, instance name in JDBC URL.

5.To use keyTab file for Kerberos authentication, 

            i) Create keytab file in SQL Server installed machine using the steps mentioned at the bottom of the page.

            ii) Copy the created keyTab file to Applications Manager machine (Preferably under <Applications Manager Home>/working/conf/KerberosConfigurations/MSSQL/ directory)

            iii) Open login.conf file under <Applications Manager Home>\working\conf\KerberosConfigurations\MSSQL\MicrosoftJDBCDriver directory and update keytab file location and SQL Server's Principal Name (SPN). The login.conf file entries should be as below for authenticating via keyTab:

SQLJDBCDriver {

                com.sun.security.auth.module.Krb5LoginModule required

                useTicketCache=false

                doNotPrompt=true

                useKeyTab=true

                keyTab="C://Users//kerberosuser.MSSQLKERBEROS//Desktop//kerberos//AppManager14//working//conf//KerberosConfigurations//MSSQL//krb5.keytab"

                principal="MSSQLSvc/mssql-kerberos-dc1.mssqlkerberos.com:1433@MSSQLKERBEROS.COM"

                storeKey=false

                debug=false;

};

6. To use ticketCache for Kerberos authentication,

            i) Run kinit program for the user account to which Kerberos is enabled using the steps mentioned at the bottom of the page. By default, ticket  cache file will be created in the location {user.home}{file.separator}krb5cc_{user.name}

            ii) Copy the created ticket cache file to Applications Manager machine (Preferably under <Applications Manager Home>/working/conf/KerberosConfigurations/MSSQL/ directory)

            iii) Open login.conf file under <Applications Manager Home>\working\conf\KerberosConfigurations\MSSQL\MicrosoftJDBCDriver directory and update ticket cache file location and SQL Server's Principal Name (SPN). The login.conf file entries should be as below for authenticating via ticketCache:

SQLJDBCDriver {

            com.sun.security.auth.module.Krb5LoginModule required 

            useTicketCache=true 

            ticketCache="C://Users//kerberosuser.MSSQLKERBEROS//Desktop//kerberos//AppManager14//working//conf//KerberosConfigurations//MSSQL//krb5cc_kerberosuser"

            doNotPrompt=true 

            useKeyTab=false 

            principal="kerberosuser@MSSQLKERBEROS.COM

            storeKey=false

            debug=false;

};
     
7. To connect via password, update the correct user name and password in the database_params.conf file.  

            a) To update the user name & password, refer the following link.

             b) The login.conf file entries should be as below for authenticating via password:

 SQLJDBCDriver {

            com.sun.security.auth.module.Krb5LoginModule required

            useTicketCache=false

            doNotPrompt=false

            useKeyTab=false

            principal="MSSQLSvc/mssql-kerberos-dc1.mssqlkerberos.com:1433@MSSQLKERBEROS.COM"

            storeKey=false

            debug=true;

 };

8. Open java.security file under <Applications Manager Home>\working\jre\lib\security directory and check for the line (line 141)

                 #login.config.url.1=file:${user.home}/.java.login.config

                 Add the below entry after this line,

              login.config.url.1=file:<Applications Manager Home>/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/login.conf

      Example:
login.config.url.1=file:C:/Users/kerberosuser.MSSQLKERBEROS/Desktop/kerberos/AppManager14/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/login.conf
9. Opekrb5.ini file under <Applications Manager Home>\working\conf\KerberosConfigurations directory and update the domain details. Refer to the attached sample files at the bottom.

10. Now start Applications Manager and check Kerberos authentication using below query in the respective SQL server (auth_scheme should be returned as "KERBEROS") :

SELECT b.session_id,b.login_name, a.auth_scheme, b.host_name,program_name FROM sys.dm_exec_connections AS a JOIN sys.dm_exec_sessions AS b ON a.session_id = b.session_id ORDER BY program_name,host_name

            [ OR ]

      Use MSSQLDebug.bat to check Kerberos connection.
To revert back from Kerberos authentication, replace the database_params.conf file with the backup file in <Applications Manager Home>\working\conf directory and restart Applications Manager.


How to create a keytab file?

Open the command prompt and execute the following command to create a keyTab file:
ktpass -princ MSSQLSvc/mssql-kerberos-dc1.mssqlkerberos.com:1433@MSSQLKERBEROS.COM -mapuser kerberosuser@MSSQLKERBEROS.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass Password!23 -out C:\Users\kerberosuser\krb5.keytab




How to create a ticket to use Ticket Cache for Kerberos Authentication?

ticket