MSSQL with Windows Auth

Important

Set "CREATE_KEYTAB" to True if you automatically want to create a keytab - Use it on your own risk!!
To be on the safe side, manually create the User & Computer objects and then run the script.

Info

Creation of SPN will/could take a while before activated through domain/forest.
- You may need to redeploy before it works

Manually create keytab

Create a normal AD-user (Example: MSSQLDocker_user)
Manually create a Computer Object with User & Computer (Example: MSSQL-DOCKER-COMPUTER)
Run in Powershell and press Y to reset computer password

ktpass /out mssql.keytab /mapuser [email protected] /princ [email protected] /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL

Run in Powershell:

IMPORTANT! Each time ktpass is executed the Kerberos number "kvno" is updated, and all previous keytabs are invalidated.
- If you need multiple SPN in same keytab(?)
  - First ktpass command add -setupn
  - Second time add -setupn and -setpass

setspn -A MSSQLSvc/mssql.vicrem.se:1433 MSSQLDocker_user

ktpass /princ MSSQLSvc/mssql.vicrem.se:[email protected] /mapuser MSSQLDocker_user /pass Password_For_MSSQLDocker_user /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /in mssql.keytab /out mssql.keytab -setupn

Check SPN

PS H:\> setspn -L MSSQLDocker_user
Registered ServicePrincipalNames for CN=MSSQLDocker_user,DC=vicrem,DC=se:
        MSSQLSvc/mssql.vicrem.se:1433

Move mssql.keytab to /var/opt/mssql/secrets/ and change permission/owner so running user mssql (not MSSQLDocker_user) can read the keytab
Your keytab should look something like this:

root@mssql:/tmp# klist -kte /var/opt/mssql/secrets/mssql.keytab

Keytab name: FILE:/var/opt/mssql/secrets/mssql.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
4 01/01/70 01:00:00 [email protected] (arcfour-hmac)
7 01/01/70 01:00:00 MSSQLSvc/mssql.vicrem.se:[email protected] (arcfour-hmac)

Test your keytab

kinit MSSQL-DOCKER-COMPUTER$ -kt /var/opt/mssql/secrets/mssql.keytab
kinit MSSQLSvc/mssql.vicrem.se:1433 -kt /var/opt/mssql/secrets/mssql.keytab

If step 8 == ok then create client.keytab else check KVNO number

cp /var/opt/mssql/secrets/mssql.keytab /var/opt/mssql/secrets/client.keytab

Debuging kerberos/ldap

Add follwing to /var/opt/mssql/logger.ini - or enable env variables in entrypoint.sh

[Output:sql]
type=File
filename=/var/opt/mssql/log/pallog.log

[Logger:security.ldap]
level=debug
outputs=sql

[Logger:security.kerberos]
level=debug
outputs=sql

Name		Name	Last commit message	Last commit date
Latest commit History 29 Commits
init_script		init_script
keytab		keytab
sql_script		sql_script
Dockerfile		Dockerfile
README.md		README.md
docker-compose.yml		docker-compose.yml
log.txt		log.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

MSSQL with Windows Auth

Important

Info

Manually create keytab

Debuging kerberos/ldap

About

Uh oh!

Releases

Packages

Languages

vicrem/mssql

Folders and files

Latest commit

History

Repository files navigation

MSSQL with Windows Auth

Important

Info

Manually create keytab

Debuging kerberos/ldap

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages