Authentication
- Last Updated: April 16, 2026
- 5 minute read
- ADO.NET
- Documentation
Authentication protects the identity of the user so that user credentials cannot be intercepted by malicious hackers when transmitted over the network. See Authentication for an overview.
The SQL Server data provider supports the following methods of authentication:
-
SQL Server authentication, or user ID/password authentication, authenticates the user to the database using a database user name and password provided by the application.
-
Kerberos authentication uses Kerberos, a trusted third-party authentication service, to verify user identities. Kerberos authentication can take advantage of the user name and password maintained by the operating system to authenticate users to the database or use another set of user credentials specified by the application.
This method requires knowledge of how to configure your Kerberos environment and supports Windows Active Directory Kerberos only.
-
NTLM authentication is a single sign-on Windows authentication method. This method provides authentication from Windows clients only and requires minimal configuration.
The Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections. See Using the Authentication Method Connection String Option for information about setting the value for this connection string option.
Using the Authentication Method Connection String Option
The Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections. The data provider uses SQL Server User ID/Password authentication, Kerberos authentication, or NTLM authentication when establishing a connection based on the following criteria:
- If a user ID and password is specified, the data provider uses SQL Server User ID/Password authentication when establishing a connection. The User ID connection string option provides the user ID. The Password connection string option provides the password.
- If a user ID and password is not specified and the data provider is not running on a Windows platform, the data provider uses Kerberos authentication when establishing a connection.
- If a user ID and password is not specified, the data provider uses NTLM authentication when establishing a connection if the data provider can load the DLL required for NTLM authentication. If the data provider cannot load the DLL, the data provider uses Kerberos authentication.
When AuthenticationMethod=Kerberos, the data provider uses Kerberos authentication when establishing a connection. The data provider ignores any values specified by the User ID and Password connection string options.
When AuthenticationMethod=NTLM, the data provider uses NTLM authentication when establishing a connection if the data provider can load the DLL required for NTLM authentication. If the data provider cannot load the DLL, the data provider throws an exception. The data provider ignores any values specified by the User ID and Password properties.
When AuthenticationMethod=UserIDPassword (the default), the data provider uses SQL Server authentication when establishing a connection. The User ID connection string option provides the user ID. The Password connection string option provides the password. If a user ID is not specified, the data provider throws an exception.
Configuring SQL Server Authentication
Set the Authentication Method connection string option to Auto or User ID Password (the default). See Using the Authentication Method Connection String Option for more information about setting a value for this connection string option.
- Set the User ID connection string option to provide the user ID.
- Set the Password connection string option to provide the password.
Configuring Kerberos Authentication
This section provides requirements and instructions for configuring Kerberos authentication for the Microsoft SQL Server data provider.
Product Requirements
Verify that your environment meets the requirements listed in the following table before you configure the data provider for Kerberos authentication.
Kerberos Authentication Requirements for the SQL Server Data Provider
| Component | Requirements |
| Microsoft SQL Server database server | The database server must be administered by the same domain controller that administers the client and must be running one of the following databases:
|
| Kerberos server | The Kerberos server is the machine where the user IDs for authentication are administered. The Kerberos server is also the location of the Kerberos KDC. Network authentication must be provided by Windows Active Directory on one of the following operating systems:
|
| Client | The client must be administered by the same domain controller that administers the database server. |
Configuring the Data Provider
To configure the data provider, set the data provider’s Authentication Method connection string option to Kerberos. See Using the Authentication Method Connection String Option for more information about setting a value for this connection string option.
Specifying User Credentials for Kerberos Authentication (Delegation of Credentials)
By default, the SQL Server data provider takes advantage of the user name and password maintained by the operating system to authenticate users to the database. By allowing the database to share the user name and password used for the operating system, users with a valid operating system account can log into the database without supplying a user name and password.
There may be times when you want the data provider to use a set of user credentials other than the operating system user name and password. For example, many application servers or Web servers act on behalf of the client user logged on the machine on which the application is running, rather than the server user.
Obtaining a Kerberos Ticket Granting Ticket
To use Kerberos authentication, the application user first must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The Kerberos server verifies the identity of the user and controls access to services using the credentials contained in the TGT.
If the application uses Kerberos authentication from a Windows client, the application user is not required to log onto the Kerberos server and explicitly obtain a TGT. Windows Active Directory automatically obtains a TGT for the user.
Configuring NTLM Authentication
This section provides requirements and instructions for configuring NTLM authentication for the Microsoft SQL Server data provider.
Product Requirements
Verify that your environment meets the requirements listed in the following table before you configure your environment for NTLM authentication.
NTLM Authentication Requirements for the SQL Server Data Provider
| Component | Requirements |
| Database server | The database server must be administered by the same domain controller that administers the client and must be running on one of the following databases:
|
| Domain controller | The domain controller must administer both the database server and the client. Network authentication must be provided by NTLM on one of the following operating systems:
|
| Client | The client must be administered by the same domain controller that administers the database server and must be running on one of the following operating systems:
|
Configuring the Data Provider
To configure the data provider, set the Authentication Method connection string option to NTLM. See Using the Authentication Method Connection String Option for more information about setting a value for this connection string option.