Authenticate against your MSSQL endpoint using Kerberos with the JDBC driver

JFrog Support
2018-06-11 09:33

You can set up the MSSQL JDBC driver to authenticate against your MSSQL database using Kerberos authentication. On a Windows machine, it might be as simple as placing the sqljdbc_auth.dll in your system path and specifying integratedSecurity=true on the JDBC connection string.

Linux users need not worry though. Although the setup process requires a few more steps, it can still work on a linux-based installation of Artifactory.

  1. The krb.conf file – First, you'll need to make sure the krb5.conf file exists on your system and is properly configured to use the right Kerberos realm on which your MSSQL server resides. It's possible that your machine already has this file in /etc/krb5.conf. If it isn't there, go ahead and create it. JFrog can provide basic guidance on the topic, but the ones who know best how to create a krb5.conf file that fits your environment and uses the right options are your Windows/Unix administrators. All configuration options are listed in the aforementioned link.
*Make sure the /etc/krb5.conf file is readable by the user that runs the Artifactory process.
  1. The KeyTab file – The MSSQL JDBC driver will use a KeyTab file to obtain a TGT from the KDC when needed (i.e when there is no ticket in the cache / when the ticket has expired). The KeyTab may already exist on your system somewhere, but if it doesn't, you will need to obtain it from a Windows/KDC administrator who can generate one for your machine. In most cases the principal in the KeyTab will be mapped to the Active Directory Service Account that you are using to access the linux machine and run processes with. 
*Make sure the KeyTab file is readable by the user that runs Artifactory.
  1. The JAAS Configuration file – after the krb5.conf file has been setup and the KeyTab has been obtained, we'll need to create a file named SQLJDBCDriver.conf and place it inside your $ARTIFACTORY_HOME/etc directory. This file is a JAAS configuration file that the MSSQL JDBC driver will consume when the server starts up and will provide the appropriate authentication options. The file may look something like this:
SQLJDBCDriver { required

Make sure the name of the configuration closure is exactly as shown above – "SQLJDBCDriver". The MSSQL JDBC driver is hardcoded to look for the configuration by this name, so failing to specify the right name will make this file useless. We could elaborate on each of the options included in the JAAS configuration, but this Javadoc does a great job covering all of them. One thing worth mentioning is that the first line specifies that the Krb5LoginModule should be used during the login process to the MSSQL endpoint. 

*Be sure to replace the value of the "keyTab" option with the location of your own KeyTab file.

4.Configuring the Connection String – it's time to set up the MSSQL connection string on your $ARTIFACTORY_HOME/etc/ file (formerly the file on Artifactory 3.x/4.x). You'll need to set both the integratedAuthentication=true and authenticationScheme=JavaKerberos parameters. Like this:


Read more about assembling the full connection string here.

5. Java params – now that we have all the prerequisites covered, it's time point the MSSQL JDBC driver at our krb5.conf and SQLJDBCDriver.conf files. Do this by editing your $ARTIFACTORY_HOME/bin/artifactory.default file and add the below line:


*Do not override any existing JAVA_OPTIONS lines – paste this line below the existing options to add these in an additive fashion rather than overriding anything. 
*Replace the $ARTIFACTORY_HOME place holder with your real Artifactory home installation path. 

Tip: if you are facing any issues with the JDBC driver not being able to authenticate properly against the KDC or the MSSQL endpoint, you can add the param to the JAVA_OPTIONS as well. Beware though, this log will be quite verbose. The logging will be printed to your $ARTIFACTORY_HOME/tomcat/logs/catalina.out file. 

Good luck!