Connecting to MSSQL SERVER using Microsoft Java ODBC driver and Kerberos

I did not find a lot of documentation for connecting to SQL SERVER using Kerberos authentication and JAVA. So I decided to write this little blog post up.

The key piece of information is using authenticationScheme=JavaKerberos in the connection string.
This works on both Windows and Linux Operating System as long as you have Kerberos ticket. You can verify if you have a Kerberos ticket by typing klist on the command line.
You should see something like the following for your user.

[user1@vm01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_16777216_kbQnZ2
Default principal: testuser1@CORP.COMPANY.NET
 
Valid starting     Expires            Service principal
10/22/14 07:23:58  10/22/14 17:23:58  krbtgt/CORP.COMPANY.NET@CORP.COMPANY.NET
    renew until 10/29/14 07:23:58
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Properties;

import com.microsoft.sqlserver.*;

public class main {
	public static void main(String[] args) {
		try {
			Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
		} catch (ClassNotFoundException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		
		String connectionUrl = "jdbc:sqlserver://SQLSERVER01;instanceName=SQLINSTANCE01;database=Inventory;integratedSecurity=true;authenticationScheme=JavaKerberos";
		
		try {
			Connection con = java.sql.DriverManager.getConnection(connectionUrl);
			System.out.println("connected...");
			
			String SQL = "select * from dbo.table01";
			Statement stmt = con.createStatement();
			ResultSet rs = stmt.executeQuery(SQL);
			

			while (rs.next())
			{
				System.out.println(rs.getString(1));
			}
			
		} catch (SQLException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
	}
}

Creating a keytab file for kerberos authentication on Linux

This guide was created on CentOS 6
You will need the krb5-workstation package installed

yum install krb5-workstation

Create a keytab file for kerberos authentication for the user testuser1:

[user1@vm01 ~]$ ktutil
	ktutil:  addent -password -p testuser1@CORP.COMPANY.NET -k 1 -e aes256-cts
  	Password for testuser1@CORP.COMPANY.NET: [enter your password]
  	ktutil:  wkt testuser1.keytab
  	ktutil:  quit 

Initialize the key tab file to retrieve the kerberos ticket:

[user1@vm01 ~]$ kinit testuser1@CORP.COMPANY.NET -k -t ./testuser1.keytab 

Verify the kerberos ticket has been initialized

[user1@vm01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_16777216_kbQnZ2
Default principal: testuser1@CORP.COMPANY.NET

Valid starting     Expires            Service principal
10/22/14 07:23:58  10/22/14 17:23:58  krbtgt/CORP.COMPANY.NET@CORP.COMPANY.NET
	renew until 10/29/14 07:23:58

Applications which are running under the profile which the Kerberos ticket are initialized should now be able to use the Kerberos ticket.

reference: https://kb.iu.edu/d/aumh