Questions regarding Kerberos and Active Directory and SQL Server
Jeffrey Altman
jaltman2 at nyc.rr.com
Fri Apr 9 00:52:07 EDT 2004
Sleepy wrote:
> Hello all,
>
> I have some questions that I would appreciate getting some expert
> Kerberos assistance with.
>
> 1) Is SQL Server limited to DES encryption only?
>
> The reason I ask is that I have discovered empirically that the
> SQL Server service startup account needs to set the Active Directory
> property "Use DES encryption types for this account". A possible
> explanation was found as follows: "This flag [Use DES encryption
> types for this account] is only required for service accounts which
> can only handle DES. When a client makes a request for a service
> ticket for such service, using TGS-Exchange, the Win2K KDC generates a
> DES service ticket if this flag is set." If this information is true,
> it would appear that SQL Server can only handle DES encryption.
I don't know about MS SQL but the Java GSS-API only supports DES encryption.
> 2) Why would I not receive an SSPI token back from SQL Server even
> if I successfully connect to SQL Server using Active
> Directory/Kerberos authentication?
>
> I have an application that requests mutual authentication using
> the Java GSS-API and no SSPI token is ever returned. We expect our
> application to receive an SSPI token back from SQL Server to complete
> the authentication process. This expectation is based on the API and
> the fact that the TDS specification implies this will occur.
The Java client will receive a ticket for use in authenticating to the
MS SQL service account. This will be placed in the Java application's
credential cache which is stored in a file. This will be obtained prior
to the completion of the mutual authentication. What are you using to
examine the exchange?
> Any assistance that can be provided would be very helpful. Thanks!
>
More information about the Kerberos
mailing list