Connect Azure Data Studio to SQL Server using Windows authentication - Kerberos

Azure Data Studio supports connecting to SQL Server by using Kerberos.

To use integrated authentication (Windows Authentication) on macOS or Linux, you need to set up a Kerberos ticket that links your current user to a Windows domain account.

Prerequisites

To get started, you need:

  • Access to a Windows domain-joined machine to query your Kerberos domain controller.
  • SQL Server should be configured to allow Kerberos authentication. For the client driver running on Unix, integrated authentication is supported only by using Kerberos. For more information, see Using Kerberos integrated authentication to connect to SQL Server. There should be service principal names (SPNs) registered for each instance of SQL Server you're trying to connect to. For more information, see Registering a service principal name.

Check if SQL Server has a Kerberos setup

Sign in to the host machine of SQL Server. From the Windows command prompt, use setspn -L %COMPUTERNAME% to list all the SPNs for the host. You should see entries that begin with MSSQLSvc/HostName.Domain.com, which means that SQL Server has registered an SPN and is ready to accept Kerberos authentication.

If you don't have access to the host of the SQL Server instance, then from any other Windows OS joined to the same Active Directory, you could use the command setspn -L <SQLSERVER_NETBIOS>, where <SQLSERVER_NETBIOS> is the computer name of the host of the SQL Server instance.

Get the Kerberos Key Distribution Center

Find the Kerberos Key Distribution Center (KDC) configuration value. Run the following command on a Windows computer that's joined to your Active Directory domain.

Start cmd.exe and run nltest.

nltest /dsgetdc:DOMAIN.COMPANY.COM (where "DOMAIN.COMPANY.COM" maps to your domain's name)

Sample Output
DC: \\dc-33.domain.company.com
Address: \\2111:4444:2111:33:1111:ecff:ffff:3333
...
The command completed successfully

Copy the DC name that's the required KDC configuration value. In this case, it's dc-33.domain.company.com.

Join your OS to the Active Directory domain controller

Ubuntu

sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit

Edit the /etc/network/interfaces file so that your Active Directory domain controller's IP address is listed as dns-nameserver. For example:

<...>
# The primary network interface
auth eth0
iface eth0 inet dhcp
dns-nameservers **<AD domain controller IP address>**
dns-search **<AD domain name>**

Note

The network interface (eth0) might differ for different machines. To find out which one you're using, run ifconfig and copy the interface that has an IP address and transmitted and received bytes.

After editing this file, restart the network service:

sudo ifdown eth0 && sudo ifup eth0

Now check that your /etc/resolv.conf file contains a line like the following one:

nameserver **<AD domain controller IP address>**
sudo realm join contoso.com -U 'user@CONTOSO.COM' -v
<...>
* Success

RedHat Enterprise Linux

sudo yum install realmd krb5-workstation

Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file (or other interface config file as appropriate) so that your Active Directory domain controller's IP address is listed as a DNS server:

<...>
PEERDNS=no
DNS1=**<AD domain controller IP address>**

After editing this file, restart the network service:

sudo systemctl restart network

Now check that your /etc/resolv.conf file contains a line like the following one:

nameserver **<AD domain controller IP address>**
sudo realm join contoso.com -U 'user@CONTOSO.COM' -v
<...>
* Success
   

macOS

Join your macOS to the Active Directory domain controller by following these steps.

Configure KDC in krb5.conf

Edit the /etc/krb5.conf file in an editor of your choice. Configure the following keys:

sudo vi /etc/krb5.conf

[libdefaults]
  default_realm = DOMAIN.COMPANY.COM
 
[realms]
DOMAIN.COMPANY.COM = {
   kdc = dc-33.domain.company.com
}

Then save the krb5.conf file and exit.

Note

The domain must be in ALL CAPS.

Test the Ticket Granting Ticket retrieval

Get a Ticket Granting Ticket (TGT) from KDC.

kinit username@DOMAIN.COMPANY.COM

View the available tickets by using klist. If the kinit was successful, you should see a ticket.

klist

krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.

Connect by using Azure Data Studio

  1. Create a new connection profile.

  2. Select Windows Authentication as the authentication type.

  3. Complete the connection profile, and select Connect.

After successfully connecting, your server appears in the SERVERS sidebar.