Using Kerberos with SQL Server

Kerberos is a widely accepted network authentication protocol that is used to provide a highly secure method to authenticate users. Reliance is placed upon a trusted third party called the Key Distribution Center (KDC) to facilitate the generation and secure distribution of authentication tokens and symmetric session keys. In a Windows environment, the operation of the KDC is assumed by the Domain Controller (DC) using the Active Directory (AD). Furthermore, all Windows domain users are effectively Kerberos principals and are capable of engaging in Kerberos authentication.

Among the key benefits of Kerberos authentication that make it popular are:

  • Mutual authentication (the client can validate the identity of the server principal)

  • Secure authentication tickets (only encrypted tickets are used and passwords are never included in the ticket)

  • Integrated authentication (single sign-on, i.e., once the user is logged on, s/he does not need to log on again to access any service that supports Kerberos authentication)

Kerberos with SQL Server

SQL Server 2005 (and 2000) supports Kerberos indirectly through the Windows SSPI interface when using Windows integrated authentication (as opposed to SQL authentication). However, Kerberos will only be used under certain circumstances as SQL Server allows SSPI to negotiate the authentication protocol to use; if Kerberos cannot be used, then Windows will fall back NTLM authentication. Kerberos authentication is far more desirable than NTLM from a security (and, to a lesser degree, performance) point of view and I think it’s important to understand how to ensure Kerberos is used for remote connections when possible. If you're using integrated auth, you need to make sure that the follow are done:

  1. Both the client and server machines must be part of the same Windows domain, or else trusted domains.

  2. The server's Service Principal Name (SPN) must be registered with the Active Directory (I'll explain this in more detail below)

  3. The client must connect to the server using TCP/IP. Assuming that the server has TCP/IP enabled, this can be accomplished by either placing TCP/IP at the top of the client's protocol order or else prefixing the connection string with "tcp:"

Registering an SPN

 

The SPN is essentially a mapping between a principal name and the Windows account that started the server instance service. This is needed because the client will use the server’s hostname and the TCP/IP port to which it connects to compose an SPN. If the SPN mapping has not been performed, then the Windows security layer will be unable to determine the account associated with the SPN and Kerberos authentication will not be used. In an attempt to facilitate this, the SQL Server 2005 instance will automatically try to register the SPN with the AD at startup if TCP/IP is enabled. The problem is, however, that only a domain administrator or a Local System account has the authority to register an SPN. Therefore, in the majority of cases where the service is started under a normal account, SQL Server will be unable to register the SPN for the instance. This will not prevent the instance from starting but you will see the following entry in the error log:

 

The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

 

The alternative is to have a domain admin manually register the SPN for the instance. The format for an SPN is MSSQLSvc/FQDN:tcpport, where FQDN is the fully qualified domain name of the server and tcpport is the TCP/IP port number. To register the SPN, the administrator will need to use the SetSPN.exe tool which is available from the Windows server resource kit (for Windows 2K3, you can find it here, https://support.microsoft.com/default.aspx?scid=kb;en-us;892777). An example of the command is:

 

           setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname

 

If an SPN already exists, then it must be deleted before it can be re-registered. This is accomplished by a domain admin using the setspn -D command.

 

To verify that Kerberos authentication is being used, you may query the sys.dm_exec_connections DMV and look under the auth_scheme column, e.g.

 

select auth_scheme from sys.dm_exec_connections where session_id=@@spid

 

If Kerberos is being used, then it will display “KERBEROS”.

 

I should also mention that if the instance automatically registered an SPN at startup, then it will unregister it when the instance is stopped.

 

Potential Problems

 

If instance is configured to listen to a different port, then the SPN will need to be deleted and recreated using the new port number. The problem is worse if the server is configured to use dynamic IP addresses as, potentially, a new SPN must be configured every time the server is started. I recommend that a static IP address be used so that the SPN need only be registered once. In addition, using a static IP address provides the additional benefit that the client can specify the TCP/IP directly in the connection string. Doing this will prevent the need to rely upon SQL Browser to determine the port number (SQL Browser communication uses an unauthenticated UDP channel).

 

A couple of other considerations that are documented in the BOL are (i) the Dedicated Admin Connection (DAC) only uses NTLM so no SPN is registered for the DAC connection, and (ii) if the instance is configured to listen to multiple IP addresses, then the server will only attempt to automatically register the SPN using the first port that it identifies.

Il-Sung Lee
Program Manager, SQL Server Protocols

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights