9 The SQL Server Data Provider : Authentication

Authentication
Authentication protects the identity of the user so that user credentials cannot be intercepted by malicious hackers when transmitted over the network. See “Authentication” for an overview.
The SQL Server data provider supports the following methods of authentication:
This method requires knowledge of how to configure your Kerberos environment and supports Windows Active Directory Kerberos only.
The Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections. See “Using the Authentication Method Connection String Option” for information about setting the value for this connection string option.
Using the Authentication Method Connection String Option
The Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections. The data provider uses SQL Server User ID/Password authentication, Kerberos authentication, or NTLM authentication when establishing a connection based on the following criteria:
When AuthenticationMethod=Kerberos, the data provider uses Kerberos authentication when establishing a connection. The data provider ignores any values specified by the User ID and Password connection string options.
When AuthenticationMethod=NTLM, the data provider uses NTLM authentication when establishing a connection if the data provider can load the DLL required for NTLM authentication. If the data provider cannot load the DLL, the data provider throws an exception. The data provider ignores any values specified by the User ID and Password properties.
When AuthenticationMethod=UserIDPassword (the default), the data provider uses SQL Server authentication when establishing a connection. The User ID connection string option provides the user ID. The Password connection string option provides the password. If a user ID is not specified, the data provider throws an exception.
Configuring SQL Server Authentication
Set the Authentication Method connection string option to Auto or User ID Password (the default). See “Using the Authentication Method Connection String Option” for more information about setting a value for this connection string option.
1
2
Configuring Kerberos Authentication
This section provides requirements and instructions for configuring Kerberos authentication for the Microsoft SQL Server data provider.
Product Requirements
Verify that your environment meets the requirements listed in Table 9-6 before you configure the data provider for Kerberos authentication.
Configuring the Data Provider
To configure the data provider, set the data provider’s Authentication Method connection string option to Kerberos. See “Using the Authentication Method Connection String Option” for more information about setting a value for this connection string option.
Specifying User Credentials for Kerberos Authentication (Delegation of Credentials)
By default, the SQL Server data provider takes advantage of the user name and password maintained by the operating system to authenticate users to the database. By allowing the database to share the user name and password used for the operating system, users with a valid operating system account can log into the database without supplying a user name and password.
There may be times when you want the data provider to use a set of user credentials other than the operating system user name and password. For example, many application servers or Web servers act on behalf of the client user logged on the machine on which the application is running, rather than the server user.
Obtaining a Kerberos Ticket Granting Ticket
To use Kerberos authentication, the application user first must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The Kerberos server verifies the identity of the user and controls access to services using the credentials contained in the TGT.
If the application uses Kerberos authentication from a Windows client, the application user is not required to log onto the Kerberos server and explicitly obtain a TGT. Windows Active Directory automatically obtains a TGT for the user.
Configuring NTLM Authentication
This section provides requirements and instructions for configuring NTLM authentication for the Microsoft SQL Server data provider.
Product Requirements
Verify that your environment meets the requirements listed in Table 9-7 before you configure your environment for NTLM authentication.
Configuring the Data Provider
To configure the data provider, set the Authentication Method connection string option to NTLM. See “Using the Authentication Method Connection String Option” for more information about setting a value for this connection string option.