Questions regarding Kerberos and Active Directory and SQL Server
Sleepy
sleepy at sleepy.net
Thu Apr 8 23:25:44 EDT 2004
Hello all,
I have some questions that I would appreciate getting some expert
Kerberos assistance with.
1) Is SQL Server limited to DES encryption only?
The reason I ask is that I have discovered empirically that the
SQL Server service startup account needs to set the Active Directory
property "Use DES encryption types for this account". A possible
explanation was found as follows: "This flag [Use DES encryption
types for this account] is only required for service accounts which
can only handle DES. When a client makes a request for a service
ticket for such service, using TGS-Exchange, the Win2K KDC generates a
DES service ticket if this flag is set." If this information is true,
it would appear that SQL Server can only handle DES encryption.
2) Why would I not receive an SSPI token back from SQL Server even
if I successfully connect to SQL Server using Active
Directory/Kerberos authentication?
I have an application that requests mutual authentication using
the Java GSS-API and no SSPI token is ever returned. We expect our
application to receive an SSPI token back from SQL Server to complete
the authentication process. This expectation is based on the API and
the fact that the TDS specification implies this will occur.
Any assistance that can be provided would be very helpful. Thanks!
More information about the Kerberos
mailing list