470,594 Members | 1,412 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,594 developers. It's quick & easy.

Kerberos / Windows authentication

Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial. Recataloged
the database at a client machine.
As far as I can tell, everything is in the right place (and seems to be
mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP

Any clues?
Nov 8 '06 #1
2 4997
Greg Nash wrote:
Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial. Recataloged
the database at a client machine.
As far as I can tell, everything is in the right place (and seems to be
mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP
Additional info:
The server is an AD domain controller, and a global catalog.
I get the same behaviour attempting a command-line connection locally on
the server.
Nov 8 '06 #2
Found 2 answers, effectively the same solution. The DB2 service was
running as domain\db2admin which didn't have kerberos ticket delegation
rights.
A. Change so DB2 runs as SYSTEM, and ensure the particular server has
delegation rights in Active Directory (which it did by default)
or
B. Give the db2admin account delegation rights. This required using
setspn to give db2admin an spn, which then makes the delegation tab
visible for that user in Active Directory Users & Computers.

I've gone for option A for simpler administration.

Greg Nash wrote:
Greg Nash wrote:
>Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial.
Recataloged the database at a client machine.
As far as I can tell, everything is in the right place (and seems to
be mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP
Additional info:
The server is an AD domain controller, and a global catalog.
I get the same behaviour attempting a command-line connection locally on
the server.
Nov 10 '06 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Brian Beck | last post: by
reply views Thread by Paul Bacelar | last post: by
2 posts views Thread by josh | last post: by
reply views Thread by CESAR DE LA TORRE [MVP] | last post: by
1 post views Thread by russell.lane | last post: by
4 posts views Thread by webrod | last post: by
1 post views Thread by Tina | last post: by
2 posts views Thread by Tapio Kulmala | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.