0

I am trying to use Spring JPA to connect to mssql db using kerberos. I generated keytab using:

ktab -k <keytabPath> -a <name>@<domain>

created jaas.conf file:

SQLJDBCDriver {
    com.sun.security.auth.module.Krb5LoginModule
    required
    client=TRUE
    doNotPrompt=true
    debug=true
    useKeyTab=true
    storeKey=true
    keyTab="<keytabName>" 
    principal="<name>@<domain>"
};

both keyTab and jaas.conf files are in resource folder

app.properties:

spring.jpa.hibernate.dialect=org.hibernate.dialect.SQLServer2012Dialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.hibernate.show_sql=true
spring.datasource.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver
spring.datasource.url=jdbc:<url>\\<instance>:<port>;databaseName=<dbName>;authenticationScheme=JavaKerberos;integratedSecurity=true;domain=<domain>

set the VM parameters:

-Djavax.net.ssl.trustStore=<path_to_cacerts>
-Djava.security.krb5.conf=<path_to_krb5>
-Djava.security.auth.login.config=<path_to_jaas>
-Duser.name=<name>
-Djavax.security.auth.useSubjectCredsOnly=true
-Djava.security.krb5.realm=<domain>
-Djava.security.krb5.kdc=<domain>
-Dsun.security.krb5.debug=true
-Djavax.net.debug=ssl

yet i am getting: Unable to obtain password from user error. What is wrong ? It seems the set up is correct. I can connect to the database using intellij database window ( using windows credential option ).

Johnyb
  • 980
  • 1
  • 12
  • 27
  • Hi! Can you write the actual error message you get? It could be a lot of things. Maybe it's not finding the file path? Maybe there's some permission error? "Unable to obtain password from user error" is not specific enough. Please edit your question and put the specific error. – GamingFelix Apr 13 '22 at 14:15
  • @GamingFelix that the error i get.. Kerberos Login failed: Integrated authentication failed due to javax.security.auth.login.LoginException (Unable to obtain password from user ) – Johnyb Apr 13 '22 at 14:53
  • can you try do it with verbose? Usually adding -v or -vv will add additional info. Not sure I can help a lot with this though. But could it be that this krb5 file that you have... should it be created with/together same credentials etc as the kerberoes/keytab file? It seems like this is a common question though. Here's another thread with similar issue: https://stackoverflow.com/questions/29844339/kerberos-spring-javax-security-auth-login-loginexception-unable-to-obtain-passw – GamingFelix Apr 13 '22 at 15:13
  • Also, in the example you can see how you should post an exception, not just one line but whole stackthread if possible. Makes it way easier to help. – GamingFelix Apr 13 '22 at 15:15

0 Answers0