Powered by Zoomin Software. For more details please contactZoomin

DataDirect Connect for ADO.NET Data Provider Help

Table of Contents

Authentication

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 16, 2026
  • 5 minute read
    • ADO.NET
    • Documentation

Authentication protects the identity of the user so that user credentials cannot be intercepted by malicious hackers when transmitted over the network. See Authentication for an overview.

The DB2 data provider supports the following methods of authentication:

  • User ID/password authentication authenticates the user to the database using a database user name and password. Depending on the method you specify, the data provider passes one of the following sets of credentials to the DB2 database server for authentication:

    • Encrypted user ID and password
    • User ID in clear text and an encrypted password
    • Both user ID and password in clear text

  • Kerberos authentication uses Kerberos, a trusted third-party authentication service, to verify user identities. Kerberos authentication can take advantage of the user name and password maintained by the operating system to authenticate users to the database or use another set of user credentials specified by the application.

    This method requires knowledge of how to configure your Kerberos environment and supports Windows Active Directory Kerberos and MIT Kerberos.

  • Client authentication uses the user ID of the user logged onto the system on which the data provider is running to authenticate the user to the database. The DB2 database server relies on the client to authenticate the user and does not provide additional authentication.

    Note: Because the database server does not authenticate the user when client authentication is used, use this method of authentication if you can guarantee that only trusted clients can access the database server.

Using the Authentication Method Connection String Option

The Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections.

When Authentication Method=Kerberos, the data provider uses Kerberos authentication when establishing a connection. The data provider ignores any values specified by the UserID and Password connection string options.

When Authentication Method=EncryptedUIDPassword, Authentication Method=EncryptedPassword, or Authentication Method=ClearText (the initial default), the data provider uses user ID/password authentication when establishing a connection. The User ID connection string option provides the user ID. The Password connection string option provides the password.

The set of credentials that are passed to the DB2 server depend on the specified value:

  • When Authentication Method=EncryptedUIDPassword, an encrypted user ID and encrypted password are sent to the DB2 server for authentication.
  • When Authentication Method=EncryptedPassword, a user ID in clear text and an encrypted password are sent to the DB2 server for authentication.
  • When Authentication Method=ClearText, both a user ID and a password are sent in clear text to the DB2 server for authentication.

Note: If any of these values are set, the data provider also can use data encryption by setting the Encryption Method connection string option.

When Authentication Method=Client, the data provider uses the user ID of the user logged onto the system on which the data provider is running when establishing a connection. The DB2 database server relies on the client to authenticate the user and does not provide additional authentication. The data provider ignores any values specified by the User ID and Password connection string options.

Configuring User ID/Password Authentication

  1. Set the Authentication Method connection string option to EncryptedUIDPassword, EncryptedUIDPassword, or ClearText (the default).
  2. Set the User ID connection string option to provide the user ID.
  3. Set the Password connection string option to provide the password.

Configuring Kerberos Authentication

This section provides requirements and instructions for configuring Kerberos authentication for the DB2 data provider.

Product Requirements

Verify that your environment meets the requirements listed in the following table before you configure the DB2 data provider for Kerberos authentication.

Kerberos Authentication Requirements for the DB2 Data Provider

Component Requirements
Database server The database server must be running one of the following database versions:
  • DB2 v8.1 or higher for Linux/UNIX/Windows
  • DB2 v7.x or higher for z/OS
Kerberos server The Kerberos server is the machine where the user IDs for authentication are administered. The Kerberos server is also the location of the Kerberos KDC.
Network authentication must be provided by one of the following methods:
  • Windows Active Directory on one of the following operating systems:
  • Windows Server 2012
  • Windows Server 2008
  • Windows Server 2003
  • Windows 2000 Server Service Pack 3 or higher
  • MIT Kerberos 1.4.2 or higher
Client The client must be administered by the same domain controller that administers the database server.

Configuring the Data Provider

To configure the data provider to use Kerberos, set the Authentication Method connection string option to Kerberos.

Specifying User Credentials for Kerberos Authentication (Delegation of Credentials)

By default, when Kerberos authentication is used, the DB2 data provider takes advantage of the user name and password maintained by the operating system to authenticate users to the database. By allowing the database to share the user name and password used for the operating system, users with a valid operating system account can log into the database without supplying a user name and password.

There may be times when you want the data provider to use another set of user credentials. For example, many application servers or Web servers act on behalf of the client user logged on the machine on which the application is running, rather than the server user.

The following C# code snippet demonstrates how to use Windows impersonation to connect using Kerberos as a user other than the user under which the current process is running.

using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using DDTek.DB2;
 
namespace ConsoleApplication50 {
 
   class Program {
 
      [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
      public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
         int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
 
      [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
      public extern static bool CloseHandle(IntPtr handle);
 
      static void Main(string[] args) {
 
         try {
 
            DB2Connection connection = new DB2Connection();
            connection.ConnectionString = "Host=db2test; Port=50000; Database Name=test; Authentication Method=Kerberos;";
            connection.Open();
 
            DB2Command command = connection.CreateCommand();
            command.CommandText = "SELECT CURRENT_SCHEMA FROM SYSIBM.SYSDUMMY1";
            string schema = (string)command.ExecuteScalar();
            Console.Out.WriteLine("Current user: " + schema);
 
            connection.Close();
 
            // Obtain the user token
            const int LOGON32_PROVIDER_DEFAULT = 0;
            //This parameter causes LogonUser to create a primary token.
            const int LOGON32_LOGON_INTERACTIVE = 2;
 
            IntPtr tokenHandle = new IntPtr(0);
 
            // Call LogonUser to obtain a handle to an access token.
            if (LogonUser("otheruser", "DOMAIN", "otherpassword",
                LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
                ref tokenHandle)) {
 
               WindowsIdentity wi = new WindowsIdentity(tokenHandle);
               WindowsImpersonationContext wic = wi.Impersonate();
 
               // Connect via Kerberos as otheruser
               connection.Open();
 
               command = connection.CreateCommand();
               command.CommandText = "SELECT CURRENT_SCHEMA FROM SYSIBM.SYSDUMMY1";
               schema = (string)command.ExecuteScalar();
               Console.Out.WriteLine("Current user: " + schema);
 
               connection.Close();
 
               // End impersonation
               wic.Undo();
 
               // Close handle
               if (tokenHandle != IntPtr.Zero) {
 
                  CloseHandle(tokenHandle);
               }
            }
 
            connection.Open();
 
            command = connection.CreateCommand();
            command.CommandText = "SELECT CURRENT_SCHEMA FROM SYSIBM.SYSDUMMY1";
            schema = (string)command.ExecuteScalar();
            Console.Out.WriteLine("Current user: " + schema);
 
            connection.Close();
      }
      catch (Exception e) {
 
         do {
 
              Console.Out.WriteLine(e.Message);
              e = e.InnerException;
         }
         while (e != null);
       }
     }
   }
}

For additional information on using Kerberos, refer to the Microsoft documentation.

Obtaining a Kerberos Ticket Granting Ticket

To use Kerberos authentication, the application user first must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The Kerberos server verifies the identity of the user and controls access to services using the credentials contained in the TGT.

If the application uses Kerberos authentication from a Windows client, the application user does not need to explicitly obtain a TGT. Windows Active Directory automatically obtains a TGT for the user.

Configuring Client Authentication

Set the Authentication Method connection string option to Client.

TitleResults for “How to create a CRG?”Also Available inAlert