Kerberos authentication
- Last Updated: February 19, 2025
- 2 minute read
- DataDirect Connectors
- ODBC
- Documentation
Kerberos authentication
If you are using Kerberos, verify that your environment meets the requirements listed in the following table before you configure the driver for Kerberos authentication.
| Component | Requirements |
|---|---|
| Database server | The database server must be administered by the same domain controller that administers the client. In addition, the SAP ASE Security and directory services package, ASE_SECDIR, is required. |
| Kerberos server | The Kerberos server is the machine where the user IDs
for authentication are administered. The Kerberos server is also the location of the
Kerberos KDC. Network authentication must be provided by one of the following
methods:
|
Kerberos authentication can take advantage of the user name and password maintained by the operating system to authenticate users to the database or use another set of user credentials specified by the application.
The Kerberos method requires knowledge of how to configure your Kerberos environment. This method supports both Windows Active Directory Kerberos and MIT Kerberos environments.
To use Kerberos authentication, the application user first must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The Kerberos server verifies the identity of the user and controls access to services using the credentials contained in the TGT.
If the application uses Kerberos authentication from a Windows
client, the application user does not explicitly need to obtain
a TGT. Windows Active Directory automatically obtains a TGT for
the user.
If the application uses Kerberos authentication from a UNIX or
Linux client, the user must explicitly obtain a TGT. To obtain a
TGT explicitly, the user must log onto the Kerberos server using
the kinit command. For example, the following command requests a
TGT from the server with a lifetime of 10 hours, which is renewable
for 5 days:
kinit -l 10h -r 5d userwhere user is the application user.
Refer to your Kerberos documentation for more information about using the kinit command and obtaining TGTs for users.
- Set the Authentication Method (AuthenticationMethod) option to
4. - Set the Network Address (NetworkAddress) option to specify the unique identifier assigned to the SAP ASE server machine.
- Set the Database Name (Database) option to specify the name of the database to which you want to connect.
- Set the GSS Client Library (GSSClient) option to specify the name of the GSS client library that the driver uses to communicate with the Key Distribution Center (KDC).
The following examples show the connection information required to establish a connection using Kerberos authentication.
Connection string
DRIVER=DataDirect 8.0 SAP ASE Wire Protocol;AuthenticationMethod=4;
NetworkAddress=123.456.78.90, 5000;Database=Payroll;GSSClient=gss123;odbc.ini
[SAP ASE]
Driver=ODBCHOME/lib/xxase28.yy
...
AuthenticationMethod=4
...
NetworkAddress=123.456.78.90, 5000
...
Database=Payroll
...
GSSClient=gss123
...