{"id":15430536,"url":"https://github.com/lenisha/jdbc-kerberos","last_synced_at":"2026-03-06T20:03:44.164Z","repository":{"id":116070724,"uuid":"441052359","full_name":"lenisha/jdbc-kerberos","owner":"lenisha","description":"Connecting Kubernetes app JDBC driver to SQL Server with AD/Kerberous Auth","archived":false,"fork":false,"pushed_at":"2022-10-06T20:47:19.000Z","size":115,"stargazers_count":4,"open_issues_count":1,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-04T17:50:25.006Z","etag":null,"topics":["active-directory","jdbc","kerberos","kubernetes","sqlserver"],"latest_commit_sha":null,"homepage":"https://medium.com/microsoftazure/connect-azure-kubernetes-java-applications-to-sql-with-kerberos-integrated-authentication-88dfa3fa382c","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lenisha.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-23T03:37:00.000Z","updated_at":"2024-01-13T10:17:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"c72abe2e-2441-4527-a655-abc0acd5932e","html_url":"https://github.com/lenisha/jdbc-kerberos","commit_stats":{"total_commits":14,"total_committers":1,"mean_commits":14.0,"dds":0.0,"last_synced_commit":"99d2770599098b7b0106ee0b090f45764b36d950"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/lenisha/jdbc-kerberos","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fjdbc-kerberos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fjdbc-kerberos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fjdbc-kerberos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fjdbc-kerberos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lenisha","download_url":"https://codeload.github.com/lenisha/jdbc-kerberos/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fjdbc-kerberos/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30195571,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T19:07:06.838Z","status":"ssl_error","status_checked_at":"2026-03-06T18:57:34.882Z","response_time":250,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","jdbc","kerberos","kubernetes","sqlserver"],"created_at":"2024-10-01T18:16:50.360Z","updated_at":"2026-03-06T20:03:44.126Z","avatar_url":"https://github.com/lenisha.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes Java JDBC apps connecting to SQL wih windows Auth\n\nSetup for the following Architecture\n![Architecture](./WinAuthAKS.jpg)\n\n# User Setup \n- create user in Azure AD for Managed Domain tenant\n- Grant access to user in `testdb`\n```\nCREATE LOGIN [ENEROSORG\\dbuser] FROM WINDOWS\nCREATE USER [ENEROSORG\\dbuser] FOR LOGIN [ENEROSORG\\dbuser];  \nALTER ROLE db_owner ADD MEMBER [ENEROSORG\\dbuser];\n```\n\n## Domain Joined VM\n```\nkinit -V eneros@ENEROSORG.ONMICROSOFT.COM\n----------------------------------------------------------------------------------\n\nUsing default cache: /tmp/krb5cc_1000\nUsing principal: dbuser@ENEROSORG.ONMICROSOFT.COM\nPassword for dbuser@ENEROSORG.ONMICROSOFT.COM: \nAuthenticated to Kerberos v5\n\n```\n- Run SQL command\n\n```\nsqlcmd -E -S SQLIAASEN.ENEROSORG.ONMICROSOFT.COM -d testdb -Q \"SELECT SUSER_SNAME();\"\n                                                                                                                     \n----------------------------------------------------------------------------------\nENEROSORG\\dbuser         \n```\n\n## Non Joined VM\n## Install Kerberos utils and config\n```\nsudo apt-get update\nsudo apt-get install krb5-user samba sssd sssd-tools libnss-sss libpam-sss ntp ntpdate realmd adcli\n```\n\n### Prepare Keytab\n\n```sh\nktutil:  addent -password -p dbuser@ENEROSORG.ONMICROSOFT.COM -k 2 -e aes128-cts-hmac-sha1-96\nktutil: wkt dbuser.keytab\n```\n\n# Init Token and Execute SQL\n\n```sh\nsudo kinit -V -kt dbuser.keytab  dbuser\n\nUsing default cache: /tmp/krb5cc_1000\nUsing principal: dbuser@ENEROSORG.ONMICROSOFT.COM\nUsing keytab: dbuser.keytab\nAuthenticated to Kerberos v5\n\nsqlcmd -E -S SQLIAASEN.ENEROSORG.ONMICROSOFT.COM -d testdb -Q \"SELECT SUSER_SNAME();\"\n---------------------------------------------------------------------------------------\nENEROSORG\\dbuser                                                                              \n```\n\n# Java\nOur example uses JDBS driver java implemetation for integrated authentication with the Java Krb5LoginModule.\nwe specify `integratedSecurity=true` and `authenticationScheme=JavaKerberos `connection properties.\n\n## Build\n```\nmvn clean compile assembly:single\n```\n\n## Java Test execute\nexport KRB5CCNAME=/tmp/krb5cc_1000\nsudo java -jar target/sql-kerberos-jar-with-dependencies.jar\n\n# Kubernetes\n\n- build docker images\n```\ndocker build -t sql-kerberos:1.0 .\ndocker tag sql-kerberos:1.0 acraccess.azurecr.io/sql-kerberos:1.0\ndocker push acraccess.azurecr.io/sql-kerberos:1.0\n```\nor\n```\naz acr build -r acraccess --image sql-kerberos:1.0  -f containers/dbapp/Dockerfile .\n\ncd containers/sidecar\naz acr build -r acraccess --image  kinit-sidecar:1.0   .\n\n```\n## Kubernetes setup\n\n- create secret with keytab data\n```\nkubectl create secret generic keytab --from-file=./dbuser.keytab\n```\n\n- create configmap with kerberos config\n```\nkubectl create cm krb5config --from-file=./containers/krb5.conf\n```\n\n- create pod with two containers  - sidecar running kinit to refresh ticket and application \n\n```\nkubectl apply -f containers/k8s-manifest.yaml\n```\n\n- verify logs \n\n```\n k logs kinit-dbapp -c kinit --tail=20\n\n*** Waiting for 10 seconds\n*** kinit at +2021-12-24 + kinit -V -k dbuser@ENEROSORG.ONMICROSOFT.COM \nUsing default cache: /dev/shm/ccache\nUsing principal: dbuser@ENEROSORG.ONMICROSOFT.COM\nAuthenticated to Kerberos v5\nTicket cache: FILE:/dev/shm/ccache\nDefault principal: dbuser@ENEROSORG.ONMICROSOFT.COM\n\nValid starting     Expires            Service principal\n12/24/21 05:36:25  12/24/21 15:36:25  krbtgt/ENEROSORG.ONMICROSOFT.COM@ENEROSORG.ONMICROSOFT.COM\n        renew until 12/31/21 05:36:25\n*** Waiting for 10 seconds\n```\n\n```\nk logs kinit-dbapp -c dbapp --tail=10\nAuthenticated User: ENEROSORG\\dbuser\nAuthenticated User: ENEROSORG\\dbuser\nAuthenticated User: ENEROSORG\\dbuser\nAuthenticated User: ENEROSORG\\dbuser\n```\n\n### Keyvault setup\n az keyvault secret set --name dbuserkt --vault-name kvforkeytab  --file dbuser.keytab --encoding hex\n\nk create configmap dbconfig --from-literal=SQL-SERVER=SQLIAASEN.ENEROSORG.ONMICROSOFT.COM --from-literal=DB-NAME=testdb\n\n\n## References:\n[Join an Ubuntu Linux virtual machine to an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-ubuntu-linux-vm)\n\n[Install sqlcmd ](https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-setup-tools?view=sql-server-ver15)\n\n[Connecting a SQL Server client on Linux using Active Directory authentication](https://sqlsunday.com/2021/04/15/connecting-linux-using-ad-authentication/)\n\n[Linux to Windows Authentication](https://www.sqlservercentral.com/blogs/linux-to-windows-authentication)\n[Linux to Windows Authentication GitHub](https://github.com/fenngineering/GoSql.Kerberos)\n\n[Kerberos Sidecar Container](https://cloud.redhat.com/blog/kerberos-sidecar-container)\n[Kerberos Sidecar Container Github](https://github.com/edseymour/kinit-sidecar)\n\n[Using Kerberos integrated authentication to connect to SQL Server](https://docs.microsoft.com/en-us/sql/connect/jdbc/using-kerberos-integrated-authentication-to-connect-to-sql-server?view=sql-server-ver15)\n\n[Register a Service Principal Name for Kerberos Connections](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-ver15)\n\n[AD(Active Directory) authentication for SQL Containers on Azure Kubernetes Service (AKS)](https://techcommunity.microsoft.com/t5/sql-server-blog/ad-active-directory-authentication-for-sql-containers-on-azure/ba-p/2745659)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flenisha%2Fjdbc-kerberos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flenisha%2Fjdbc-kerberos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flenisha%2Fjdbc-kerberos/lists"}