Get Mutual Kerberos Authentication

This sample shows how to get mutual Kerberos authentication by using ODBC in SQL Server Native Client.

This sample will not work with any version of SQL Server earlier than SQL Server 2008.

For more information, see Service Principal Name (SPN) Support in Client Connections.

Example

If you will build and run this sample as a 32-bit application on a 64-bit operating system, you must create the ODBC data source with the ODBC Administrator in %windir%\SysWOW64\odbcad32.exe.

This sample connects to your computer's default SQL Server instance. To connect to a named instance, change the definition of the ODBC data source to specify the instance using the following format: server\namedinstance. By default, SQL Server Express installs to a named instance.

Change "MyServer" to a machine name that has an instance of SQL Server 2008 (or later).

You will also have to specify a customer-provided SPN. Change " CP_SPN " to a customer-provided SPN.

Compile with /EHsc, /D "_UNICODE", /D "UNICODE", and odbc32.lib. Make sure your INCLUDE environment variable includes the directory that contains sqlncli.h.

// compile with: /EHsc /D "_UNICODE" /D "UNICODE" odbc32.lib
#define WIN32_LEAN_AND_MEAN
#include <tchar.h>
#include <windows.h>
#include <stdio.h>
#include <sql.h>
#include <sqlext.h>

#define _SQLNCLI_ODBC_
#include <sqlncli.h>

#define SUCCESS(x) (!((x) & 0xFFFE))

#define CHKRC(stmt) do \
                    { \
                    rc = (stmt); \
                    if (!SUCCESS(rc)) \
                    throw (RETCODE) rc; \
                    } while(0);

void PrintError(SQLSMALLINT HandleType, SQLHANDLE Handle) {
   RETCODE rc = SQL_SUCCESS;
   SQLTCHAR szSqlState[6], szMessage[1024];
   SQLSMALLINT i = 1, msgLen = 0;
   SQLINTEGER NativeError;

   do {
      i = 1;
      while (SQL_NO_DATA != (rc = SQLGetDiagRec(HandleType, Handle, i, szSqlState, &NativeError, 
         szMessage, sizeof(szMessage)/sizeof(SQLTCHAR), &msgLen)) && SUCCESS(rc)) {
            _tprintf(_T("SQLState=%s, NativeError=%ld, Message=%s\r\n"), szSqlState, NativeError, szMessage);
            i++;
      }
   } 
   while (SQL_NO_DATA != (rc = SQLMoreResults(Handle)) && SUCCESS(rc));
}

int _tmain(int argc, _TCHAR* argv[]) {
   RETCODE rc = SQL_SUCCESS;
   HENV henv = SQL_NULL_HENV;
   HDBC hdbc = SQL_NULL_HDBC;
   SQLHSTMT hstmt = SQL_NULL_HSTMT;
   SQLTCHAR * pszConnection = _T("DRIVER={SQL Server Native Client 10.0};")
      _T("Server=MyServer;")          // server with SQL Server 2008 (or later)
      _T("Trusted_Connection=Yes;")
      _T("ServerSPN=CP_SPN");    // customer-provided SPN

   TCHAR szIntgAuthMethod[64];
   SQLSMALLINT fMutuallyAuth = 0;

   try {
      CHKRC(SQLAllocHandle(SQL_HANDLE_ENV, SQL_NULL_HENV, &henv));
      CHKRC(SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION, (SQLPOINTER)SQL_OV_ODBC3, 0));
      CHKRC(SQLAllocHandle(SQL_HANDLE_DBC, henv, &hdbc));
      CHKRC(SQLDriverConnect( hdbc, NULL, pszConnection, SQL_NTS, NULL, 0, NULL, SQL_DRIVER_NOPROMPT));
      CHKRC(SQLGetConnectAttr(hdbc, SQL_COPT_SS_INTEGRATED_AUTHENTICATION_METHOD, szIntgAuthMethod, sizeof(szIntgAuthMethod)/sizeof(szIntgAuthMethod[0]), NULL));
      CHKRC(::SQLGetConnectAttrW(hdbc, SQL_COPT_SS_MUTUALLY_AUTHENTICATED, &fMutuallyAuth, SQL_IS_SMALLINT, NULL));

      _tprintf(_T("Authentication method: %s\r\n"), szIntgAuthMethod);
      _tprintf(_T("Mutually authenticated: %s\r\n"), fMutuallyAuth?_T("yes"):_T("no"));
   }
   catch (RETCODE retcode) {
      rc = retcode;
   }

   if (!SUCCESS(rc)) {
      if (hstmt)
         PrintError(SQL_HANDLE_STMT, hstmt);
      else if (hdbc)
         PrintError(SQL_HANDLE_DBC, hdbc);
      else if(henv)
         PrintError(SQL_HANDLE_ENV, henv);
   }

   if (hstmt)
      SQLFreeHandle(SQL_HANDLE_STMT, hstmt);
   if (hdbc) {
      SQLDisconnect(hdbc);
      SQLFreeHandle(SQL_HANDLE_DBC, hdbc);
   }
   if (henv)
      SQLFreeHandle(SQL_HANDLE_ENV, henv);
}