Using Kerberos Integrated Authentication to Connect to SQL Server

DownloadDownload JDBC Driver

Beginning in Microsoft JDBC Driver 4.0 for SQL Server, an application can use the authenticationScheme connection property to indicate that it wants to connect to a database using type 4 Kerberos integrated authentication. See Setting the Connection Properties for more information on connection properties. For more information on Kerberos, see Microsoft Kerberos.

When using integrated authentication with the Java Krb5LoginModule, you can configure the module using Class Krb5LoginModule.

The Microsoft JDBC Driver for SQL Server sets the following properties for IBM Java VMs:

  • useDefaultCcache = true

  • moduleBanner = false

    The Microsoft JDBC Driver for SQL Server sets the following properties for all other Java VMs:

  • useTicketCache = true

  • doNotPrompt = true


Prior to Microsoft JDBC Driver 4.0 for SQL Server, applications could specify integrated authentication (using Kerberos or NTLM, depending on which is available) by using the integratedSecurity connection property and by referencing sqljdbc_auth.dll, as described in Building the Connection URL.

Beginning in Microsoft JDBC Driver 4.0 for SQL Server, an application can use the authenticationScheme connection property to indicate that it wants to connect to a database using Kerberos integrated authentication using the pure Java Kerberos implementation:

  • If you want integrated authentication using Krb5LoginModule, you must still specify the integratedSecurity=true connection property. You would then also specify the authenticationScheme=JavaKerberos connection property.

  • To continue using integrated authentication with sqljdbc_auth.dll, just specify integratedSecurity=true connection property (and optionally authenticationScheme=NativeAuthentication).

  • If you specify authenticationScheme=JavaKerberos but do not also specify integratedSecurity=true, the driver will ignore the authenticationScheme connection property and it will expect to find user name and password credentials in the connection string.

    When using a datasource to create connections, you can programmatically set the authentication scheme using setAuthenticationScheme and (optionally) set the SPN for Kerberos connections using setServerSpn.

    A new logger has been added to support Kerberos authentication: For more information, see Tracing Driver Operation.

    The following guidelines will help you to configure Kerberos:

  1. Set AllowTgtSessionKey to 1 in the registry for Windows. For more information, see Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003.

  2. Make sure that the Kerberos configuration (krb5.conf in UNIX environments), points to the correct realm and KDC for your environment.

  3. Initialize the TGT cache by using kinit or logging into the domain.

  4. When an application that uses authenticationScheme=JavaKerberos runs on the Windows Vista or Windows 7 operating systems, you should use a standard user account. However if you run the application under an administrator’s account, the application must run with administrator privileges.


The serverSpn connection attribute is only supported by Microsoft JDBC Drivers 4.2 and higher.

Service Principal Names

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service.

You can specify the SPN using the serverSpn connection property, or simply let the driver build it for you (the default). This property is in the form of: “MSSQLSvc/fqdn:port@REALM” where fqdn is the fully-qualified domain name, port is the port number, and REALM is the Kerberos realm of the SQL Server in upper-case letters. The realm portion of this property is optional if your Kerberos configuration’s default realm is the same realm as that of the Server and is not included by default. If you wish to support a cross-realm authentication scenario where the default realm in the Kerberos configuration is different than the realm of the Server, then you must set the SPN with the serverSpn property.

For example, your SPN might look like: “MSSQLSvc/”

For more information about service principal names (SPNs), see:


Before 6.2.0 release of JDBC driver, for proper use of Cross Realm Kerberos, you would need to explicitly set the serverSpn.

As of the 6.2.0 release, the driver will be able to build the serverSpn by default, even when using Cross Realm Kerberos. Although one can use serverSpn explicitly too.

Creating a Login Module Configuration File

You can optionally specify a Kerberos configuration file. If a configuration file is not specified, the following settings are in effect:

Sun JVM required useTicketCache=true;

IBM JVM required useDefaultCcache = true;

If you decide to create a login module configuration file, the file must follow this format:

<name> {  
    <LoginModule> <flag> <LoginModule options>;  
    <optional_additional_LoginModules, flags_and_options>;  

A login configuration file consists of one or more entries, each specifying which underlying authentication technology should be used for a particular application or applications. For example,

SQLJDBCDriver { required useTicketCache=true;  

So, each login module configuration file entry consists of a name followed by one or more LoginModule-specific entries, where each LoginModule-specific entry is terminated by a semicolon and the entire group of LoginModule-specific entries is enclosed in braces. Each configuration file entry is terminated by a semicolon.

In addition to allowing the driver to acquire Kerberos credentials using the settings specified in the login module configuration file, the driver can use existing credentials. This can be useful when your application needs to create connections using more than one user’s credentials.

The driver will attempt to use existing credentials if they are available, before attempting to login using the specified login module. Thus, when using the Subject.doAs method for executing code under a specific context, a connection will be created with the credentials passed to the Subject.doAs call.

For more information, see JAAS Login Configuration File and Class Krb5LoginModule.

Beginning in Microsoft JDBC Driver 6.2, name of login module configuration file can optionally be passed using connection property jaasConfigurationName, this allows each connection to have its own login configuration.

Creating a Kerberos Configuration File

For more information about Kerberos configuration files, see Kerberos Requirements.

This is a sample domain configuration file, where YYYY and ZZZZ are domain names at your site.

default_realm = YYYY.CORP.CONTOSO.COM  
dns_lookup_realm = false  
dns_lookup_kdc = true  
ticket_lifetime = 24h  
forwardable = yes  


  default_domain = YYYY.CORP. CONTOSO.COM  

        ZZZZ.CORP. CONTOSO.COM = {  
  default_domain = ZZZZ.CORP. CONTOSO.COM  

Enabling the Domain Configuration File and the Login Module Configuration File

You can enable a domain configuration file with You can enable a login module configuration file with

For example, when you start your application, you could use this command line:


Verifying that SQL Server Can be Accessed via Kerberos

Run the following query in SQL Server Management Studio:

select auth_scheme from sys.dm_exec_connections where session_id=@@spid

Make sure that you have the necessary permission to run this query.

Constrained Delegation

Beginning in Microsoft JDBC Driver 6.2, the driver supports Kerberos Constrained Delegation. The delegated credential can be passed in as org.ietf.jgss.GSSCredential object, these credentials are used by driver to establish connection.

Properties driverProperties = new Properties();
GSSCredential impersonatedUserCredential = [userCredential]
driverProperties.setProperty("integratedSecurity", "true");
driverProperties.setProperty("authenticationScheme", "JavaKerberos");
driverProperties.put("gsscredential", impersonatedUserCredential);
Connection conn = DriverManager.getConnection(CONNECTION_URI, driverProperties);

Kerberos Connection using Principal Names and Password

Beginning in Microsoft JDBC Driver 6.2, the driver can establish Kerberos connection using the Principal Name and Password passed in connection string.


The username property does not require REALM if user belongs to the default_realm set in krb5.conf file. When userName and password is set along with integratedSecurity=true; and authenticationScheme=JavaKerberos; property, the connection is established with value of userName as Kerberos Principal along with the password supplied.

See Also

Connecting to SQL Server with the JDBC Driver