Windows Authentication on Microsoft SQL Server



Similar documents
Failover Support. DataDirect Connect for ODBC Drivers. Introduction. Connection Failover

Using the DataDirect Connect for JDBC Drivers with WebLogic 8.1

Integrated Authentication

Using the DataDirect Connect for JDBC Drivers with the Sun Java System Application Server

Using the DataDirect Connect for JDBC Drivers with Tomcat

Using DataDirect Connect for JDBC with Oracle Real Application Clusters (RAC)

Using Oracle Real Application Clusters (RAC)

Increasing Driver Performance

SequeLink Server for ODBC Socket

Accessing Oracle 11g from SAS on Linux Using DataDirect Connect for ODBC

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Why developers should use ODBC instead of native proprietary database interfaces

Achieving Database Interoperability Across Data Access APIs through SQL Up-leveling

> ACCESSING SQL SERVER FROM IBM COGNOS BI SERVER.

BUSINESS INTELLIGENCE ANALYTICS

PROGRESS DATADIRECT QA AND PERFORMANCE TESTING EXTENSIVE TESTING ENSURES DATA CONNECTIVITY THAT WORKS

StreamServe Persuasion SP5 StreamStudio

HYPERION SYSTEM 9 N-TIER INSTALLATION GUIDE MASTER DATA MANAGEMENT RELEASE 9.2

Oracle WebLogic Server

Active Directory and DirectControl

IBM Lotus Enterprise Integrator (LEI) for Domino. Version August 17, 2010

Configuring an Alternative Database for SAS Web Infrastructure Platform Services

Querying Databases Using the DB Query and JDBC Query Nodes

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

How-to: Single Sign-On

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Diagnosis and Troubleshooting

What s New in AppliDis Fusion 4 Service Pack 1

Single Sign-on (SSO) technologies for the Domino Web Server

User Pass-Through Authentication in IBM Cognos 8 (SSO to data sources)

Release Bulletin EDI Products 5.2

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

Quest InTrust. Version 8.0. What's New. Active Directory Exchange Windows

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

IBM Business Process Manager Version IBM Business Process Manager for Microsoft SharePoint Add-On Installation Guide

Release Notes. IBM Tivoli Identity Manager Oracle Database Adapter. Version First Edition (December 7, 2007)

ACE Management Server Deployment Guide VMware ACE 2.0

Crystal Reports XI Release 1 for Windows

Oracle Business Intelligence Publisher. 1 Oracle Business Intelligence Publisher Certification. Certification Information 10g Release 3 (

TIBCO Spotfire Platform IT Brief

NTP Software File Auditor for Windows Edition

Entrust Managed Services PKI Administrator Guide

ITG Software Engineering

Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0

Database Configuration Guide

PaperClip32. Installation Guide. for Workgroup and Enterprise Editions. Document Revision 2.1 1

Parallels Plesk Panel

Matisse Installation Guide for MS Windows. 10th Edition

FileMaker 8. Installing FileMaker 8 ODBC and JDBC Client Drivers

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

IBM Security SiteProtector System Migration Utility Guide

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

IBM Security QRadar Version (MR1) Replacing the SSL Certificate Technical Note

OpenLane 5.3 supports a distributed architecture with either an Oracle 8i SQL database or a Sybase database. Refer to: Oracle Integration on page 2.

ODBC Driver User s Guide. Objectivity/SQL++ ODBC Driver User s Guide. Release 10.2

How To Connect A Java To A Microsoft Database To An Ibm.Com Database On A Microsq Server On A Blackberry (Windows) Computer (Windows 2000) On A Powerpoint (Windows 5) On An Ubio.Com

Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

Security Audit Log (BC-SEC)

PaperClip Audit System Installation Guide

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Single sign-on enabled OpenCms

Migration Guide Software, Database and Version Migration

PC-Duo Web Console Installation Guide

How to Resolve the POODLE Vulnerability in Native Connection to Oracle

Deploying Oracle Business Intelligence Publisher in J2EE Application Servers Release

IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic

SpatialWare. Version for Microsoft SQL Server 2008 INSTALLATION GUIDE

CA Repository for Distributed. Systems r2.3. Benefits. Overview. The CA Advantage

Microsoft Dynamics AX 2009 Installation Guide. Microsoft Corporation Published: November 2009

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

1z0-102 Q&A. DEMO Version

IBM Tivoli Web Response Monitor

Crystal Reports Server Embedded 2008 with Service Pack 7 for Windows Supported Platforms

How to Configure Access Control for Exchange using PowerShell Cmdlets A Step-by-Step guide

HP Business Availability Center

Matisse Installation Guide for MS Windows

StreamServe Persuasion SP5 Control Center

Using EMC Documentum with Adobe LiveCycle ES

IBM Unica emessage Version 8 Release 6 February 13, Startup and Administrator's Guide

Security Provider Integration Kerberos Authentication

Sun ONE Identity Server Web Policy Agents Release Notes

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Integration with Active Directory

Millennium Drive. Installation Guide

Application Servers - BEA WebLogic. Installing the Application Server

CaliberRM / LDAP Integration. CaliberRM

New Features Guide. Adaptive Server Enterprise 15.7 SP50

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Operating System Installation Guide

FileMaker Server 14. FileMaker Server Help

Crystal Reports Installation Guide

Cloud Services ADM. Agent Deployment Guide

StreamServe Persuasion SP4

Single Sign-On for Kerberized Linux and UNIX Applications

Oracle WebLogic Server

Transcription:

Windows Authentication on Microsoft SQL Server Introduction Microsoft SQL Server offers two types of security authentication: SQL Server authentication and Windows authentication. SQL Server authentication authenticates the user to the database using a database user name and password. Windows authentication is also referred to as "Windows Integrated Security" or a "trusted connection" because it relies on the user being authenticated, or trusted, by the operating system. Windows authentication is the authentication mode recommended by Microsoft. Windows authentication takes advantage of Windows user security and account mechanisms. By allowing Microsoft SQL Server to share the user name and password used for Windows, users with a valid Windows account can log into Microsoft SQL Server without supplying a user name and password. In addition to a single login within a Windows domain, Windows authentication provides a more secure mechanism for logging into Microsoft SQL Server. Standard Windows security mechanisms also provide the added advantages of auditing, password aging, minimum password length, and account lockout after multiple invalid login requests. The DataDirect Connect for JDBC SQL Server driver is the only JDBC driver for Microsoft SQL Server that provides two methods for supporting Windows authentication, a Pure Java (Type 4) implementation and a Windows-specific (Type 2) implementation. The Windows-specific implementation requires minimal configuration to enable Windows authentication; however, it can only be used when the driver is running on a Windows platform. The Pure Java implementation is not restricted to Windows platforms, but requires configuration of your Kerberos environment. This document describes both types of Windows authentication methods supported by the DataDirect Connect for JDBC SQL Server driver and provides an overview of the configuration required to use each method. Finally, it describes the current limitations and future enhancements planned for this functionality. Choosing a Windows Authentication Mechanism The DataDirect Connect for JDBC SQL Server driver provides the following methods for supporting Windows authentication: Pure Java (Type 4) authentication supports connections in a Windows domain running Windows Active Directory. The DataDirect Connect for JDBC SQL Server driver is the only JDBC driver on the market that supports Windows authentication while remaining a pure Type 4 JDBC driver. DataDirect Technologies has a patent pending on this innovative technology. This authentication method supports Kerberos authentication, an authentication protocol that is an integral component of Windows Active Directory.

Windows-specific (Type 2) authentication requires that the DataDirect Connect for JDBC SQL Server driver be installed on a Windows client; however, it supports both NT LAN Manager (NTLM) and Kerberos authentication. The Pure Java authentication method is important to many Java developers because it eliminates the need to install database-specific client libraries or additional shared libraries. It requires J2SE 1.4 or higher and knowledge of how to configure Windows Active Directory and Kerberos to support this functionality. The Windows-specific method requires J2SE 1.2 or higher and requires minimal configuration. In addition, it can be used in both Windows Active Directory and NTLM domains. Configuring for Pure Java Windows Authentication Pure Java Windows authentication supports connections to Microsoft SQL Server 2000 and Microsoft SQL Server 2000 Enterprise Edition (64-bit) SP2 or higher in a Windows domain running Windows Active Directory. This authentication method supports Kerberos authentication, an authentication protocol that is an integral component of Windows Active Directory. Setting the AuthenticationMethod Property You set the DataDirect Connect for JDBC SQL Server driver's AuthenticationMethod connection property to control which authentication method is used by the driver. For example, the following connection URL specifies that Pure Java Windows authentication will be used for the connection if a user name is not specified: jdbc:datadirect:sqlserver://server1:1433;authenticationmethod=type4 Alternatively, you can configure the driver to automatically select the appropriate Windows authentication method to use for the connection based on a combination of criteria, such as whether the application provides a user ID, the driver is running on a Windows platform, and the driver can load the DLL required for Windows-specific Windows authentication. For example: jdbc:datadirect:sqlserver://server1:1433;authenticationmethod=auto For more information about setting the AuthenticationMethod connection property, refer to the DataDirect Connect for JDBC User's Guide and Reference. Configuring Your Kerberos Environment To use Pure Java Windows authentication with the DataDirect Connect for JDBC SQL Server driver, configuration is required on the Microsoft SQL Server database server, the domain controller, and the client machine as summarized in Table 1. DataDirect Connect for JDBC performs some of this configuration for you during installation. 2 OF 6 DATADIRECT TECHNOLOGIES O CTOBER 2005

Table 1: Configuring Your Kerberos Environment for Pure Java Windows Authentication Component Configuration Domain controller Make sure that the Active Directory encryption property is set to use DES encryption in the Microsoft SQL Server Service Startup Account. Microsoft SQL Server database server Make sure that a Service Principal Name (SPN) has been created for each Microsoft SQL Server instance to allow the Kerberos Key Distribution Center (KDC) to provide authentication to your Microsoft SQL Server database. Set the authentication mode to Windows Only or Mixed authentication. Configure the login properties of the user IDs and passwords used to log on the database server and for the Service Startup Account used to start the Microsoft SQL Server instance. Client Modify the Kerberos configuration file to reference your environment. A login configuration file is automatically installed and configured when you install DataDirect Connect for JDBC. For more information about configuring your environment for Pure Java Windows authentication, including detailed instructions for each of these configuration steps, refer to the DataDirect Connect for JDBC User's Guide and Reference. Configuring for Windows-Specific Authentication Windows-specific authentication requires that the DataDirect Connect for JDBC SQL Server driver be installed on a Windows client; however, it supports both NTLM and Kerberos authentication for Microsoft SQL Server 2000 SP3 or higher and Microsoft SQL Server 2000 Enterprise Edition (64-bit) SP2 or higher. Setting the AuthenticationMethod Property You set the DataDirect Connect for JDBC SQL Server driver's AuthenticationMethod connection property to control which authentication method is used by the driver. For example, the following connection URL specifies that Windows-specific Windows authentication will be used for the connection if a user name is not specified: jdbc:datadirect:sqlserver://server1:1433;authenticationmethod=type2 Alternatively, you can configure the driver to automatically select the appropriate Windows authentication method to use for the connection based on a combination of criteria, such as whether the application provides a user ID, the driver is running on a Windows platform, and the driver can load the DLL required for Windows-specific Windows authentication. For example: jdbc:datadirect:sqlserver://server1:1433;authenticationmethod=auto DATADIRECT TECHNOLOGIES O CTOBER 2005 3 OF 6

For more information about setting the AuthenticationMethod connection property, refer to the DataDirect Connect for JDBC User's Guide and Reference. Using the Windows-Specific Authentication DLL To use Windows-specific authentication with the DataDirect Connect for JDBC SQL Server driver, copy the appropriate Windows-specific authentication DLL to a directory on the Windows system path on the machine where you have installed the driver. DataDirect Connect for JDBC provides two Windows-specific authentication DLLs, a 32-bit and a 64- bit version. If the application using Windows-specific Windows authentication is running in a 32-bit Java Virtual Machine (JVM), the driver uses the 32-bit version of the DLL. Similarly, if the application is running in a 64-bit JVM, the driver uses the 64-bit version. Alternatively, you can set the java.libary.path system property to specify the directory of the Windows-specific authentication DLL. For example, if the DataDirect Connect for JDBC SQL Server driver is installed in a directory named "DataDirect," you can specify the location of the DLL by using the following Virtual Machine argument when the Java application is started: -Djava.library.path=C:\DataDirect\lib For more information about configuring your environment for Windows-specific authentication, refer to the DataDirect Connect for JDBC User's Guide and Reference. Using Windows Authentication with a Security Manager If the DataDirect Connect for JDBC SQL Server driver is used on a Java 2 Platform with a Security Manager, you must grant certain permissions to the DataDirect Connect for JDBC SQL Server driver in the security policy file of the Java 2 Platform. The security policy file is located in the jre/lib/security subdirectory of the Java 2 Platform installation directory. The permissions that must be granted depend on whether the driver is using Pure Java or Windows-specific Windows authentication. Pure Java Windows Authentication For Pure Java authentication, security permissions must be granted to the application and the driver. For example: grant codebase "file:/program Files/DataDirect/Connect for JDBC/lib/-" { permission javax.security.auth.authpermission "createlogincontext.ddtek-jdbc"; permission javax.security.auth.authpermission "doas"; permission javax.security.auth.kerberos.servicepermission "krbtgt/kerb_realm1@kerb_realm1", "initiate"; permission javax.security.auth.kerberos.servicepermission "MSSQLSvc/SQLServer_server1:1433@Kerb_realm1", "initiate"; }; 4 OF 6 DATADIRECT TECHNOLOGIES O CTOBER 2005

Windows-Specific Windows Authentication For Windows-specific authentication, the only permission that must be granted is one to allow the driver to establish connections. For example: grant codebase "file:/program Files/DataDirect/Connect for JDBC/lib/-" { permission java.net.socketpermission "*", "connect"; }; In addition, if Microsoft SQL Server named instances are used, permission must be granted for the listen and accept actions as shown in the following example: grant codebase "file:/program Files/DataDirect/Connect for JDBC/lib/-" { permission java.net.socketpermission "*", "listen, connect, accept"; }; Future Enhancements Currently, DataDirect Connect for JDBC supports Windows authenticated connections to Microsoft SQL Server 2000 or Microsoft SQL Server 2000 Enterprise Edition (64-bit) from a Windows client. For future versions of the DataDirect Connect for JDBC drivers, the current Windows Authentication functionality will be enhanced to support: Pure Java authentication from UNIX clients MIT Kerberos KDC support Pure Java authentication for DB2, Oracle, and Sybase Conclusion The DataDirect DataDirect Connect for JDBC SQL Server driver is the only JDBC driver for Microsoft SQL Server that provides two methods for supporting Windows authentication, a Pure Java (Type 4) implementation and a Windows-specific (Type 2) implementation. Both methods of Windows authentication supported by the DataDirect Connect for JDBC driver provide secure connections for your applications to Microsoft SQL Server. We welcome your feedback! Please send any comments concerning documentation, including suggestions for other topics that you would like to see, to: docgroup@datadirect.com DATADIRECT TECHNOLOGIES O CTOBER 2005 5 OF 6

FOR MORE INFORMATION 800-876-3101 Worldwide Sales Belgium (French)...0800 12 045 Belgium (Dutch)...0800 12 046 France...0800 911 454 Germany...0800 181 78 76 Japan...0120.20.9613 Netherlands...0800 022 0524 United Kingdom...0800 169 19 07 United States...800 876 3101 Copyright 2005 DataDirect Technologies Corp. All rights reserved. DataDirect Connect is a registered trademark of DataDirect Technologies Corp. in the United States and other countries. DataDirect XQuery is a trademark of DataDirect Technologies Corp. in the U.S. and other countries. Java and all Java based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Other company or product names mentioned herein may be trademarks or registered trademarks of their respective companies. DataDirect Technologies is focused on standards-based data connectivity, enabling software developers to quickly develop and deploy business applications across all major databases and platforms. DataDirect Technologies offers the most comprehensive, proven line of data connectivity components available anywhere. Developers worldwide at more than 250 leading independent software vendors and thousands of corporate IT departments rely on DataDirect products to connect their applications to an unparalleled range of data sources using standards-based interfaces such as ODBC, JDBC and ADO.NET. Developers also depend on DataDirect to radically simplify complex data integration projects using XML products based on the emerging XQuery and XQJ standards. DataDirect Technologies is an operating company of Progress Software Corporation (Nasdaq: PRGS), a US$300+ million global software industry leader. Headquartered in Bedford, Mass., DataDirect Technologies can be reached on the Web at http://www.datadirect.com or by phone at +1-800-876-3101. 6 OF 6 DATADIRECT TECHNOLOGIES O CTOBER 2005

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information