Kerberos Authentication and SQL Server

Kerberos is a network authentication protocol provides a highly secure method to authenticate client and server entities (security principals) on a network. These security principals use authentication that is based on master keys and encrypted tickets.

In the Kerberos protocol model, every client/server connection begins with authentication. Client and server, in turn, step through a sequence of actions designed to verify to the party on each end of the connection that the party on the other end is genuine. If authentication is successful, session setup completes and a secure client/server session is established.

Among the key benefits of Kerberos authentication are:

  • Mutual authentication. The client can validate the identity of the server principal, and the server can validate the client. Throughout this documentation, the two entities are called the "client" and the "server" even though secure network connections can be made between servers.

  • Secure authentication tickets. Only encrypted tickets are used, and passwords are never included in the ticket.

  • Integrated authentication. Once a user is logged on, he does not need to log on again to access any service that supports Kerberos authentication as long as the client ticket has not expired. Every ticket has a lifetime, which is determined by the policies of the Kerberos realm that generates the ticket.

Kerberos provides a mechanism for mutual authentication between entities before a secure network connection is established. Kerberos uses a trusted third party, the Key Distribution Center (KDC), to facilitate the generation and secure distribution of authentication tickets and symmetric session keys. The KDC runs as a service on a secure server and maintains a database for all the security principals in its realm. In the Kerberos context, a realm is the equivalent to a Windows domain.

Note

Master key security is the responsibility of the client and server; the KDC only provides the ticket granting service.

In a Windows environment, operation of the KDC is assumed by the domain controller and typically uses the Active Directory. All Windows domain users are effectively Kerberos principals and are capable of using Kerberos authentication.

Kerberos with SQL Server

SQL Server supports Kerberos indirectly through the Windows Security Support Provider Interface (SSPI) when SQL Server is using Windows Authentication. SSPI allows an application to use various security models available on a computer or network without changing the interface to the security system.

SQL Server allows SSPI to negotiate the authentication protocol to use; if Kerberos cannot be used, Windows will fall back to Windows NT Challenge/Response (NTLM) authentication.

SQL Server 2008 supports Kerberos authentication on the following protocols:

  • TCP/IP

  • Named pipes

  • Shared memory

For more information about the preceding protocols, see Network Protocols and TDS Endpoints.

As a best practice, we recommend that you use Kerberos authentication whenever possible for connections to an instance of SQL Server.