Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

Kerberos Protocol to allow AD domain accounts to connect to SQL database

sai_sp
Saviynt Employee
Saviynt Employee

on ‎09/06/2023 07:57 PM

Use-Case: 

Many customer's has the requirement to use windows domain account for Database connectors.

Steps: ONLY FOR NON EIC

  1. Create login at SQL Server for the user which will be utilized at connector.
  2. Create a ‘krb5.conf’ file containing information of the AD Domain and Domain Realm. Sample file is shared in the below link:

https://drive.google.com/file/d/15LXdo8rB9sOxufsWT6beYUf1840LsCpr/view?usp=sharing

    • Please use the same case for domain/realm/kdc name as it is there in the attached sample file.

 

  1. Create a key tab file for the user. Run the below command on Domain Controller machine to generate the keytab file. Keytab file has to be placed on the same server where SSM is running :

                Here U239093@SAVPOC.COM is the UPN of the user on AD Server.

  1. Create SQLJDBCDriver.conf(login conf file) as per the sample file attached. Only ketab file location and user principal has to be changed.

 

  1. Remove old MS SQL driver jar(sqljdbc4.jar) from ECM/lib directory and replace with attached ‘mssql-jdbc-7.0.0.jre8.jar’.  
  1. Add the below two properties in the Catalina startup.sh file:

            export JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/datadrive/sharedappdrive/saviynt/Kerbros/krb5.conf   -                Djava.security.auth.login.config=/datadrive/sharedappdrive/saviynt/Kerbros/SQLJDBCDriver.conf" .

 

        7. Take the application server restart .

 

        8. Sample connection URL is as below :

            jdbc:sqlserver://desktop-8gqhcvq.savpoc.com:1433;DatabaseName=SAVMSSQL;authenticationScheme=JavaKerberos;integratedSecurity=true;userName=${USERNAME};password=${PASSWORD}

 

Note : Use the same user and password at connector for which keytab file was generated.

 

Acceptance criteria: 

 

1. With the above config changes, I should be able to connect to MS SQL DB using Kerberos authentication using AD domain accounts.

2. I should be able to enter the user principal name and the password in USERNAME and PASSWORD in connection properties and the URL should be constructed as shown above using these values.

 

Labels:
0 Kudos
Comments
rushikeshvartak
All-Star
All-Star
‎12/29/2023 02:40 PM

Drive link is not working https://drive.google.com/file/u/0/d/15LXdo8rB9sOxufsWT6beYUf1840LsCpr/view?usp=sharing&pli=1

RajeshA
Regular Contributor
Regular Contributor
‎03/12/2024 07:55 AM

@rushikeshvartak 

Above drive link you pasted also not working. Can we have a updated one

@sai_sp Which email address are we talking here, is this email address U239093@SAVPOC.COM is for the service account we are using to authenticate with Microsoft SQL Server 

RajeshA
Regular Contributor
Regular Contributor
‎03/22/2024 06:18 AM

@rushikeshvartak and @sai_sp 

Our domain controller doesn't have java installed, so we generated the keytab file by using a member computer as per below note

RajeshA_0-1711113181914.png

I am going to open a Saviynt ticket to upload this on to the server

But This keytab file should be placed where on our client end ? Does it need to be stored in some location on member computer (on where keytab is generated) and have that path in SQLJDBCDriver.conf or need to be copied to domain controller and store it there and have that path in domain controller and store it in SQLJDBCDriver.conf

Darshanjain
Saviynt Employee
Saviynt Employee
‎03/25/2024 04:34 AM

Hi @RajeshA 

 

Place the keytab file where the ssm is running , ideally it should be domain controller and keep the path correctly in the conf file and try it out.

 

Thanks

Darshan

RajeshA
Regular Contributor
Regular Contributor
‎03/26/2024 12:18 PM

@Darshanjain 

SSM is not running on domain controller, it is cloud hosted. 

We need to place keytab file in two locations. Correct me if I am wrong

  1. Place on server where Saviynt is running, since we are on 5.5 and using cloud version. This happens through a ticket with Saviynt .
  2. Second location is where I have a question, Does this need to placed on a domain controller (where java is not installed, in my case) or it needs to placed in any domain controlled machine (where java is installed), from where I generated the key tab file.

 

 

Darshanjain
Saviynt Employee
Saviynt Employee
‎03/27/2024 03:52 AM

Hi @RajeshA 

Okay, please keep the key tab in the domain controller.

 

Thanks

Darshan

Suresh1
New Contributor
New Contributor
‎04/16/2024 08:46 AM

Hello @Darshanjain ,

We have raised an internal ticket with our infra team to have the generated Key Tab file placed in the DC. But our infra team is not okay with this approach as per the security and other constraints this file cannot be placed on the DC.

Is it okay to place this in any of the member computers ? 

or please let us know if we have any alternative workaround for this ?

Regards,

Suresh V.

Suresh1
New Contributor
New Contributor
‎04/25/2024 06:54 AM

Hello Team,

Could you please guide us here ?

Regards,

Suresh V.

Version history
Last update:
‎08/25/2023 09:10 AM
Updated by:
Saviynt Employee
Contributors
Copyright © 2024 Khoros, LLC