10 The Sybase Data Provider : Authentication

Authentication
Authentication protects the identity of the user so that user credentials cannot be intercepted by malicious hackers when transmitted over the network. See “Authentication” for an overview.
The Sybase data provider supports User ID/password authentication authenticates the user to the database using a database user name and password provided by the application.
Kerberos authentication uses Kerberos, a trusted third-party authentication service, to verify user identities. Kerberos authentication can take advantage of the user name and password maintained by the operating system to authenticate users to the database or use another set of user credentials specified by the application.
This method requires knowledge of how to configure your Kerberos environment and supports Windows Active Directory Kerberos and MIT Kerberos.
The data provider’s Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections. Alternatively, the data provider can encrypt the user's password as it is sent across the network to the Sybase server. See “Using the Authentication Method Connection String Option” for information about setting the value for this property.
Using the Authentication Method Connection String Option
The Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections.
When Authentication Method=Kerberos, the data provider uses Kerberos authentication when establishing a connection. Use the ServicePrincipalName connection string option to specify the Service Principal Name. The data provider ignores any values specified by the User and Password properties.
When Authentication Method=UserIDPassword (the initial default), the data provider uses user ID/password authentication when establishing a connection. The User ID connection string option provides the user ID. The Password connection string option provides the password. If a user ID is not specified, the data provider generates an exception.
When Authentication Method=EncryptPassword, the data provider encrypts the user's password as it is sent to a Sybase server that has password encryption enabled. The data provider uses the encryption algorithm required by the Sybase server. This encryption is used only for the password at connect time and only when sending the password across the network to the server.
NOTE: If any of these values are set, the data provider also can use data encryption by setting the Encryption Method connection string option.
Configuring User ID/Password Authentication
1
Alternatively, if the Sybase server has password encryption enabled, set the Authentication Method connection string option to EncryptedPassword.
2
3
Configuring Kerberos Authentication
This section provides requirements and instructions for configuring Kerberos authentication for the Sybase data provider.
Product Requirements
Verify that your environment meets the requirements listed in Table 10-6 before you configure the data provider for Kerberos authentication.
 
Configuring the Data Provider
To configure the data provider:
1
2
The value of the Service Principal Name connection string option can include the Kerberos realm name, but it is optional. If you do not specify the realm name, the default realm is used. For example, if the service principal name, including Kerberos realm name, is server/sybase125ase1@XYZ.COM and the default realm is XYZ.COM, valid values for this connection string option are:
server/sybase125ase1@XYZ.COM
and
server/sybase125ase1
Specifying User Credentials for Kerberos Authentication (Delegation of Credentials)
By default, when Kerberos authentication is used, the Sybase data provider takes advantage of the user name and password maintained by the operating system to authenticate users to the database. By allowing the database to share the user name and password used for the operating system, users with a valid operating system account can log into the database without supplying a user name and password.
Many application servers or Web servers act on behalf of the client user logged on the machine on which the application is running, rather than the server user.
Obtaining a Kerberos Ticket Granting Ticket
To use Kerberos authentication, the application user first must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The Kerberos server verifies the identity of the user and controls access to services using the credentials contained in the TGT. If the application uses Kerberos authentication from a Windows client and the Kerberos authentication is provided by Windows Active Directory, the application user is not required to log onto the Kerberos server and explicitly obtain a TGT. Windows Active Directory automatically obtains a TGT for the user.
The application user must explicitly obtain a TGT in the following cases: