Microsoft SQL Server offers two types of security authentication: SQL Server authentication and Windows authentication. SQL Server authentication authenticates the user to the database using a database user name and password. Windows authentication is also referred to as "Windows Integrated Security" or a "trusted connection" because it relies on the user being authenticated, or "trusted," by the operating system. Windows authentication is the authentication mode recommended by Microsoft.
Windows authentication takes advantage of Windows user security and account mechanisms. By allowing Microsoft SQL Server to share the user name and password used for Windows, users with a valid Windows account can log into Microsoft SQL Server without supplying a user name and password. In addition to a single login within a Windows domain, Windows authentication provides a more secure mechanism for logging into Microsoft SQL Server. Standard Windows security mechanisms also provide the added advantages of auditing, password aging, minimum password length, and account lockout after multiple invalid login requests.
The DataDirect Connect® for JDBC® SQL Server driver is the only JDBC driver for Microsoft SQL Server that provides two methods for supporting Windows authentication, a Pure Java (Type 4) implementation and a Windows-specific (Type 2) implementation. The Windows-specific implementation requires minimal configuration to enable Windows authentication; however, it can only be used when the driver is running on a Windows platform. The Pure Java implementation is not restricted to Windows platforms, but requires configuration of your Kerberos environment.
This document describes both types of Windows authentication methods supported by the DataDirect Connect for JDBC SQL Server driver and provides an overview of the configuration required to use each method. Finally, it describes the current limitations and future enhancements planned for this functionality.
The DataDirect Connect for JDBC SQL Server driver provides the following methods for supporting Windows authentication:
The Pure Java authentication method is important to many Java developers because it eliminates the need to install database-specific client libraries or additional shared libraries. It requires J2SE 1.4 or higher and knowledge of how to configure Windows Active Directory and Kerberos to support this functionality.
The Windows-specific method requires J2SE 1.2 or higher and requires minimal configuration. In addition, it can be used in both Windows Active Directory and NTLM domains.
Pure Java Windows authentication supports connections to Microsoft SQL Server 2000 and Microsoft SQL Server 2000 Enterprise Edition (64-bit) SP2 or higher in a Windows domain running Windows Active Directory. This authentication method supports Kerberos authentication, an authentication protocol that is an integral component of Windows Active Directory.
You set the DataDirect Connect for JDBC SQL Server driver's AuthenticationMethod connection property to control which authentication method is used by the driver. For example, the following connection URL specifies that Pure Java Windows authentication will be used for the connection if a user name is not specified:
jdbc:datadirect:sqlserver://server1:1433;AuthenticationMethod=type4Alternatively, you can configure the driver to automatically select the appropriate Windows authentication method to use for the connection based on a combination of criteria, such as whether the application provides a user ID, the driver is running on a Windows platform, and the driver can load the DLL required for Windows-specific Windows authentication. For example:
jdbc:datadirect:sqlserver://server1:1433;AuthenticationMethod=autoFor more information about setting the AuthenticationMethod connection property, refer to the DataDirect Connect for JDBC User's Guide and Reference.
To use Pure Java Windows authentication with the DataDirect Connect for JDBC SQL Server driver, configuration is required on the Microsoft SQL Server database server, the domain controller, and the client machine as summarized in Table 1. DataDirect Connect for JDBC performs some of this configuration for you during installation.
Table 1: Configuring Your Kerberos Environment for Pure Java Windows Authentication
|
Component |
Configuration |
|
Domain controller |
|
|
Microsoft SQL Server database server |
|
|
Client |
|
For more information about configuring your environment for Pure Java Windows authentication, including detailed instructions for each of these configuration steps, refer to the DataDirect Connect for JDBC User's Guide and Reference.
Windows-specific authentication requires that the DataDirect Connect for JDBC SQL Server driver be installed on a Windows client; however, it supports both NTLM and Kerberos authentication for Microsoft SQL Server 2000 SP3 or higher and Microsoft SQL Server 2000 Enterprise Edition (64-bit) SP2 or higher.
You set the DataDirect Connect for JDBC SQL Server driver's AuthenticationMethod connection property to control which authentication method is used by the driver. For example, the following connection URL specifies that Windows-specific Windows authentication will be used for the connection if a user name is not specified:
jdbc:datadirect:sqlserver://server1:1433;AuthenticationMethod=type2Alternatively, you can configure the driver to automatically select the appropriate Windows authentication method to use for the connection based on a combination of criteria, such as whether the application provides a user ID, the driver is running on a Windows platform, and the driver can load the DLL required for Windows-specific Windows authentication. For example:
jdbc:datadirect:sqlserver://server1:1433;AuthenticationMethod=autoFor more information about setting the AuthenticationMethod connection property, refer to the DataDirect Connect for JDBC User's Guide and Reference.
To use Windows-specific authentication with the DataDirect Connect for JDBC SQL Server driver, copy the appropriate Windows-specific authentication DLL to a directory on the Windows system path on the machine where you have installed the driver. DataDirect Connect for JDBC provides two Windows-specific authentication DLLs, a 32-bit and a 64-bit version. If the application using Windows-specific Windows authentication is running in a 32-bit Java Virtual Machine (JVM), the driver uses the 32-bit version of the DLL. Similarly, if the application is running in a 64-bit JVM, the driver uses the 64-bit version.
Alternatively, you can set the java.libary.path system property to specify the directory of the Windows-specific authentication DLL. For example, if the DataDirect Connect for JDBC SQL Server driver is installed in a directory named "DataDirect," you can specify the location of the DLL by using the following Virtual Machine argument when the Java application is started:
-Djava.library.path=C:\DataDirect\libFor more information about configuring your environment for Windows-specific authentication, refer to the DataDirect Connect for JDBC User's Guide and Reference.
If the DataDirect Connect for JDBC SQL Server driver is used on a Java 2 Platform with a Security Manager, you must grant certain permissions to the DataDirect Connect for JDBC SQL Server driver in the security policy file of the Java 2 Platform. The security policy file is located in the jre/lib/security subdirectory of the Java 2 Platform installation directory. The permissions that must be granted depend on whether the driver is using Pure Java or Windows-specific Windows authentication.
For Pure Java authentication, security permissions must be granted to the application and the driver. For example:
grant codeBase "file:/Program Files/DataDirect/Connect for JDBC/lib/-" {permission javax.security.auth.AuthPermission"createLoginContext.DDTEK-JDBC";permission javax.security.auth.AuthPermission "doAs";permission javax.security.auth.kerberos.ServicePermission "krbtgt/Kerb_realm1@Kerb_realm1", "initiate";permission javax.security.auth.kerberos.ServicePermission "MSSQLSvc/SQLServer_server1:1433@Kerb_realm1", "initiate";};For Windows-specific authentication, the only permission that must be granted is one to allow the driver to establish connections. For example:
grant codeBase "file:/Program Files/DataDirect/Connect for JDBC/lib/-" {permission java.net.SocketPermission "*", vsconnect";};In addition, if Microsoft SQL Server named instances are used, permission must be granted for the listen and accept actions as shown in the following example:
grant codeBase "file:/Program Files/DataDirect/Connect for JDBC/lib/-" {permission java.net.SocketPermission "*", "listen, connect, accept";};Currently, DataDirect Connect for JDBC supports Windows authenticated connections to Microsoft SQL Server 2000 or Microsoft SQL Server 2000 Enterprise Edition (64 bit) from a Windows client.
For future versions of the DataDirect Connect for JDBC drivers, the current Windows Authentication functionality will be enhanced to support:
The DataDirect DataDirect Connect for JDBC SQL Server driver is the only JDBC driver for Microsoft SQL Server that provides two methods for supporting Windows authentication, a Pure Java (Type 4) implementation and a Windows-specific (Type 2) implementation. Both methods of Windows authentication supported by the DataDirect Connect for JDBC driver provide secure connections for your applications to Microsoft SQL Server.