As the database people are the only ones actively trying to use Kerberos, we aren't getting any priority to dig into AD and figure out what is wrong with our Kerberos config. Kerberos should work, but only actually works when connecting between resources in the same forest. In my case we have 2 forests with a forest transitive trust. Kerberos might be more secure, but is only viable if other groups in a company have made it a priority and got everything working for it. I agree that NTLM really needs to be added. However, NTLM is helpful, we do need alternative fallback domain-user authentication (non-integrated) whenever Kerberos is failed. The remaining that can't switch because of company policy, keep enduring this pain.ĭon't take wrong, this is not the problem of MSJDBC but rather Kerberos usability. To make it worse, it happened in the customer environment where you don't have any visibility/control.Īfter exhausting debugging effort, many of these users ended up switching to SQL authentication which in my opinion is not better than NTLM. To solve the problem, there are many parties involved such as Domain, Database and Security administrators which is very common for large enterprises.
0 Comments
Leave a Reply. |