Questions regarding Kerberos and Active Directory and SQL Server

[Jeffrey Altman]

Sleepy wrote:
> Hello all,
> 
> I have some questions that I would appreciate getting some expert
> Kerberos assistance with.
> 
>     1) Is SQL Server limited to DES encryption only?
> 
>     The reason I ask is that I have discovered empirically that the
> SQL Server service startup account needs to set the Active Directory
> property "Use DES encryption types for this account".   A possible
> explanation was found as follows:  "This flag [Use DES encryption
> types for this account] is only required for service accounts which
> can only handle DES.  When a client makes a request for a service
> ticket for such service, using TGS-Exchange, the Win2K KDC generates a
> DES service ticket if this flag is set."  If this information is true,
> it would appear that SQL Server can only handle DES encryption.  

I don't know about MS SQL but the Java GSS-API only supports DES encryption.

>     2) Why would I not receive an SSPI token back from SQL Server even
> if I successfully connect to SQL Server using Active
> Directory/Kerberos authentication?
> 
>     I have an application that requests mutual authentication using
> the Java GSS-API and no SSPI token is ever returned.  We expect our
> application to receive an SSPI token back from SQL Server to complete
> the authentication process.  This expectation is based on the API and
> the fact that the TDS specification implies this will occur.

The Java client will receive a ticket for use in authenticating to the
MS SQL service account.  This will be placed in the Java application's
credential cache which is stored in a file.  This will be obtained prior
to the completion of the mutual authentication.  What are you using to
examine the exchange?

> Any assistance that can be provided would be very helpful. Thanks!
>