Kerberos Client usage in SqlClient

[aaomidi]

Reference: dotnet/SqlClient#305

The current workaround for using integrated auth on Linux and Mac platforms is really a bad user experience. It suffers from limitations I put out in the link above.

I want to be able to create a form where I ask the user for their username and password, authenticate with kerberos and then connect to a SqlServer with this integrated auth system.

I want the ability to do this in .NET Core and then be able to pass that to the connection string used for sql connections.

[Tratcher]

I want to be able to create a form where I ask the user for their username and password, authenticate with kerberos and then connect to a SqlServer with this integrated auth system.

Isn't one of the main points of kerberos the fact that you don't send the username and password to the server?

[blowdart]

What Chris said. Kerberos should not be prompted for usernames and passwords, it should be a seamless integrated authentication within a local network. Furthermore the username and passwords in a SQL connection string are not for Kerberos accounts, they are for SQL local accounts, which is entirely different.

We are considering how to flow Kerberos tokens to SQL for v5.0

[aaomidi]

@Tratcher I agree with you, I'm talking about first-time-setup.

Right now to use Kerberos for the first time I don't have the ability to create a good UI for the users to configure their Kerberos settings.

I'm also thinking about the use case where the user has more than one account they want to use Kerberos to authenticate to - for example if the user is part of two domains, they can use the interface I'm creating to switch which account they want to use per connection.

Basically the current workflow doesn't work on transient systems (where the machine exists for a couple of hours and then stops), also it requires a ton of work by the user to get setup the configuration files in the correct locations and then use kinit.

Essentially I want to be able to provide a good UX for those cross plat users. Do you have any suggestions about how I can do that?

[blowdart]

When you say users, you mean end users?

What app type are they connecting too? What OS are they on?

[aaomidi]

I'm a developer on azure data studio https://github.com/microsoft/azuredatastudio/.

Essentially I want to create an easy UI for users to be able to do two things:

• On windows machines, impersonate another domain/username/password other than the current one they're currently connected to and then be able to use the kerberos (or something else) ticket to communicate with a given SQL server or other database system.

• On Linux/Mac machines, be able to essentially in essence do what klist does, in code, and maintain the ticket for that specific session they have the application open. Once they're done and close the app the ticket is removed and the authentication is gone.

I want to bring in the context of authorization per app instead of per machine.

[Tratcher]

Those aren't things you can do from a browser, you need a native client app to collect credentials, do the impersonation, and then call web apis on the server with the given credentials.

The only variation of this a browser supports is if the browser is configured to disable implicit login and always prompt for credentials. That's still not something a web app has control over.

[aaomidi]

I am going to be using a .NET core application with JSONRPC so I will have access to normal stuff within the context of any application.

[Tratcher]

Then how is this an AspNetCore question if all of the work happens on the client?

[aaomidi]

Yeah I'm guessing the work is handled there. I thought I saw the client asking AspNetCore for the token information but I'm probably wrong.

[blowdart]

As this isn't an aspnet core issue closing.