Windows Authentication and Kerberos

The following topics contain information for configuring a connection to the SQL server source using Windows authentication and the Kerberos authentication protocol that supports it.

Windows Authentication

Windows authentication can go by many names. Some of the most common names include:

• Windows authentication

• Windows domain authentication

• Domain authentication

• Integrated authentication

• Kerberos authentication

In this topic, the terms "Windows authentication" and "Kerberos" are used.

Important
To configure Windows authentication, you must properly configure Kerberos.

When you connect using a Windows user account, the SQL Server source validates the account name and password using the Windows principal token in the operating system. In other words, the user identity is validated by Windows, not the source. The source doesn't ask for a password and it doesn't validate the identity. Windows authentication is the default authentication mode. It is much more secure than SQL Server authentication. A connection made using Windows authentication is sometimes called a trusted connection, because SQL Server trusts the credentials provided by Windows.

Windows authentication supports the following:

• The Kerberos authentication scheme

• Password policy enforcement with regard to complexity validation for strong passwords

• Account lockout

• Password expiration

To properly support Windows authentication, the Virtual Appliance must be able to resolve the SQL server host, the key distribution center (KDC), and the default Kerberos realm.

By using Windows authentication, Windows groups can be created at the domain level and a login can be created on the SQL Server source for the entire group. Managing access at the domain level can simplify account administration.

For more information, refer to Connecting through Windows Authentication in the Microsoft documentation.

Note
The linked document is not maintained by SailPoint and is subject to change without notice.

Windows Authentication Compatibility Check

To properly support Windows authentication, the Virtual Appliance must be able to resolve the SQL server host, the key distribution center (KDC), and the default Kerberos realm.

To check if the VA can resolve the necessary components, run the following command, replacing <host_fqdn> with each component's fully qualified domain name:

nslookup <host_fqdn>

For example:

• Verify resolvability with the SQL server:

  nslookup MYSQLSERVER.EXAMPLE.COM

• Verify resolvability with the KDC:

  nslookup MYKDC.EXAMPLE.COM

• Verify resolvability with the Kerberos realm:

  nslookup EXAMPLE.COM

Note
You may to change your DNS configuration on Virtual Appliance. For more information on changing the DNS, refer to Network Troubleshooting.

Kerberos

The SailPoint SQL Server connector supports Windows authentication using the Kerberos authentication scheme as an underlying protocol for authentication information exchange.

To provide a Login Module Configuration File and a Kerberos Configuration File, refer to Base Configuration .

Login Module Configuration File

Filename – SQLJDBCDriver.config

Important
This file is mandatory to be provided for Windows Authentication. You can upload the file via Base Configuration tab. For more ways upload the file, refer to Upload Configuration Files.

A login module configuration file consists of one or more entries, each specifying which underlying authentication technology should be used for a particular application or applications. The login module configuration file for this connector allows the SQL JDBC driver to acquire Kerberos credentials.

Each login module configuration file entry consists of a name followed by one or more login module-specific entries. Each entry is terminated by a semicolon. Groups of entries are enclosed by braces.

For more information, refer to Creating a login module configuration file in Using Kerberos integrated authentication to connect to SQL Server in the Microsoft documentation.

Note
The linked document is not maintained by SailPoint and is subject to change without notice.

Kerberos Configuration File

Filename – krb5.config

The krb5.config file contains the Kerberos configuration information, including the locations of key distribution centers (KDCs), administration daemons for the Kerberos realms of interest, defaults for the current realm and for the Kerberos applications, and mappings of host names onto the Kerberos realms. This file must reside on all Kerberos clients.

The format of the krb5.config consists of section headings in square brackets. Each section can contain zero or more configuration variables (called relations), of the form:

relation = relation-value

or

relation-subsection = {
    relation= relation-value
    relation= relation-value

Alternative Kerberos Configuration

The Kerberos configuration file is mandatory for Windows authentication. However, if a krb5.config is not available, you can add the following entries to the source XML using the REST API. If possible, SailPoint recommends that you use a krb5.config file.

• Attribute – kerbConfig

  Value – RealmAndKdc

• Attribute – realm

  Value – The name of the default Kerberos realm

• Attribute – kdc

  Value – The fully qualified domain name of your key distribution center in the Kerberos realm

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

For example:

• If your default Kerberos realm is example.com, your entry will be as follows:

  Attribute – realm

  Value – EXAMPLE.COM

• If the fully qualified domain name of your key distribution center (KDC) in the default Kerberos realm is KDC.EXAMPLE.COM, your entry will be as follows:

  Attribute – kdc

  Value – KDC.EXAMPLE.COM

For more information, refer to Creating a Kerberos configuration file in the Microsoft documentation.

Note
The linked document is not maintained by SailPoint and is subject to change without notice.