Creating a JAAS File for the SQL Server Driver for Kerberos

In this sample configuration file, the SQL Server Driver is being configured to use the Krb5LoginModule, requiring its use and failing to start the driver if the login module fails. The debug mode is currently set to:

ON "debug=True"

The login modules are called in a callback. Using the following syntax ensures that no screen texts appear asking for credentials, and fails if the credentials are not found:

doNotPrompt=true

The following Kerberos default ticket cache will not be used.

useTicketCache=false

The Kerberos authentication key should be imported and stored in memory, while the credentials come from the keyTab. Optionally, the user principal can be typed in the JAAS file as user@REALM1.REALM2.COM, overriding the keyTab. The following term is required:

SQLJDBCDriver

On Linux, the term must be in lowercase letters.

You can save iwjaas.conf on either Windows or Linux.

SQLJDBCDriver
{
com.sun.security.auth.module.Krb5LoginModule required
//  refreshKrb5Config=false
debug=true
doNotPrompt=true
useTicketCache=false
useKeyTab=true
keyTab="sqls6.keytab"
//  	principal="user@REALM.COM";
};

Note: On Linux, sqljdbc must by in lowercase letters.

Each login module configuration file entry consists of a name followed by one or more LoginModule-specific entries, where each LoginModule-specific entry is terminated by a semicolon, and the entire group of LoginModule-specific entries is enclosed in braces. Each configuration file entry is terminated by a semicolon.

Uncomment refreshKrb5Config to start off with a clean configuration only when debugging.

The following table lists and describes the entries.