I am able to connect to the SQL server using user name & password from our application with kerberos authentication. But our customer prefers to use keytab file instead of passing the password over the network.
When I try to use keytab I am facing some issues as below.
When viewing the keytab it shows the correct SPN as:
[1] Service principal: MSSQLSvc/myhost:1433@MYDOMAIN.COM KVNO: 18
But while referring the keytab file for authenticating it throws the below error:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Users/myuser/KerberosConf/MSSQL/myappserver.keytab refreshKrb5Config is false principal is MSSQLSvc/myhost:1433@MYDOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false Key for the principal MSSQLSvc/myhost:1433@MYDOMAIN.COM not available in C:/Users/myuser/KerberosConf/MSSQL/myappserver.keytab
[Krb5LoginModule] authentication failed Unable to obtain password from user
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Error message is "MSSQLSvc/myhost:1433@MYDOMAIN.COM not available in C:/Users/myuser/KerberosConf/MSSQL/myappserver.keytab" but actually it is available in keytab. Can someone can point out whats wrong here? Thank you!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am able to connect to the SQL server using user name & password from our application with kerberos authentication. But our customer prefers to use keytab file instead of passing the password over the network.
When I try to use keytab I am facing some issues as below.
Our SQL server's SPN is:
MSSQLSvc/myhost:1433@MYDOMAIN.COM
I have created keytab file as:
ktpass -out "C:\Users\myuser\KerberosConf\MSSQL\myappserver.keytab" -princ MSSQLSvc/myhost:1433@MYDOMAIN.COM -mapUser mydomain\myuser-pass Test@123 -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL
When viewing the keytab it shows the correct SPN as:
[1] Service principal: MSSQLSvc/myhost:1433@MYDOMAIN.COM KVNO: 18
But while referring the keytab file for authenticating it throws the below error:
Error message is "MSSQLSvc/myhost:1433@MYDOMAIN.COM not available in C:/Users/myuser/KerberosConf/MSSQL/myappserver.keytab" but actually it is available in keytab. Can someone can point out whats wrong here? Thank you!