Kerberos and Integrated Security using jTDS Driver

Question

Up till now we were using MS JDBC Driver 4.0 to connect to SQL Server 2008 using Integrated Security and Java Kerberos and everything was working fine.

Here is the code:

Spring Context:

<!-- ***** Data Source Configuration ***** -->
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
    destroy-method="close">
    <property name="driverClassName" value="com.microsoft.sqlserver.jdbc.SQLServerDriver" />
    <property name="url"
        value="jdbc:jtds:sqlserver://<serverName>:<port>;databaseName=<DBName>;integratedSecurity=true;authenticationScheme=JavaKerberos; />
    <property name="initialSize" value="5" />
    <property name="maxActive" value="2" />
    <property name="defaultAutoCommit" value="false" />
</bean>

<!-- ***** Transaction Manager ***** -->
<bean id="txManager"
    class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
    <property name="dataSource" ref="dataSource" />
</bean>
<tx:annotation-driven transaction-manager="txManager" />

<!-- ***** JDBC Configuration ***** -->
<bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">
    <constructor-arg type="javax.sql.DataSource" ref="dataSource" />
</bean>

login.conf File:

com.sun.security.jgss.krb5.initiate {
   com.sun.security.auth.module.Krb5LoginModule required
   useTicketCache=false
   doNotPrompt=true
   useKeyTab=true
   keyTab="C:/myKeyTABFile"
   principal="me@org.foo.com"
   storeKey=true
   debug=true
};

krb5.conf File:

[libdefaults]
    default_realm = org.foo.com
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 1s
    forwardable = yes
    #udp_preference_limit = 1

[realms]
    org.foo.com = {
      kdc = org.foo.com
      default_domain = org.foo.com
    }

[domain_realm]
    .org.foo.com = org.foo.com

[login]
    krb4_convert = true
    krb4_get_tickets = false

We were passing following arguments while running the Project:

-Djava.security.krb5.debug=true 
-Djava.security.auth.login.config="C:\login.conf" 
-Djava.security.krb5.conf="C:\krb5.conf

Now, we decided to use jTDS instead of MS JDBC Driver and I made following changes in the above configuration:

Changed Driver class from com.microsoft.sqlserver.jdbc.SQLServerDriver to net.sourceforge.jtds.jdbc.Driver
Changed Connection String from jdbc:sqlserver://... to jdbc:jtds:sqlserver://...
Added jTDS JAR and NTLM Authentication DLL File(s) to the Classpath

But it is giving me the following error:

Exception in thread "main" org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (I/O Error: GSS Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)) at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1549) at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1388) at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:1044) at org.foo.utils.Foo.main(Foo.java:51) Caused by: java.sql.SQLException: I/O Error: GSS Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at net.sourceforge.jtds.jdbc.TdsCore.login(TdsCore.java:654) at net.sourceforge.jtds.jdbc.JtdsConnection.(JtdsConnection.java:371) at net.sourceforge.jtds.jdbc.Driver.connect(Driver.java:184) at org.apache.commons.dbcp.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:38) at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582) at org.apache.commons.dbcp.BasicDataSource.validateConnectionFactory(BasicDataSource.java:1556) at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1545) ... 3 more Caused by: java.io.IOException: GSS Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at net.sourceforge.jtds.jdbc.TdsCore.sendMSLoginPkt(TdsCore.java:1976) at net.sourceforge.jtds.jdbc.TdsCore.login(TdsCore.java:617) ... 9 more

Things I have already tried:

Tried appending useKerberos=true; and useNTLMv2=true; to the Connection String
Tried appending domain=org.foo.com to the Connection String

But it does not seems to be working. I tried searching on internet but could not find any solution.

Would appreciate if someone could help me out.

Because we saw a huge performance improvement using jTDS as compared to the MS JDBC. — user2004685, Mar 04 '16 at 22:59
Thanks for this information. Il ultimately means that Microsoft is a terrible database vendor and does not care about other usecases than Windows.... — Michael-O, Mar 05 '16 at 09:08

score 11 · Accepted Answer · answered Mar 15 '16 at 12:41

After searching and trying different combinations and looking at the source code of jTDS this is what finally worked for me.

Use property useKerberos=true in the Connection String

Source: https://sourceforge.net/p/jtds/patches/101/
Pass VM Argument -Djavax.security.auth.useSubjectCredsOnly=false

So, finally after applying the above changes my Connection String looked like below:

jdbc:jtds:sqlserver://<serverName>:<port>;databaseName=<DBName>;useKerberos=true;

Arguments List:

-Djava.security.krb5.debug=true 
-Djava.security.auth.login.config="C:\login.conf" 
-Djava.security.krb5.conf="C:\krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false

Thanks for sharing the working recipe. I am still looking, how we can configure Kerbros in Linux — Faisal Basra, Jul 18 '17 at 07:46

Kerberos and Integrated Security using jTDS Driver

1 Answers1