OS authentication is currently available on Windows operating systems. OS authentication is not available in Insights desktop for macOS.
Database connections to Microsoft SQL Server databases have two possible authentication methods: SQL Server authentication and Windows authentication. SQL Server authentication uses a SQL Server user name and password to authenticate. Windows authentication uses a local Windows user account or trusted domain account.
SQL Server relies on Windows to authenticate the Windows user accounts.
The following prerequisites are required before OS authentication can be used to create a database connection:
- Your Insights deployment must be updated to Insights 2020.2 or later. For Insights in ArcGIS Enterprise, the upgrade must include the additional steps to allow OS authentication for database connections if you are updating from Insights 2020.1 or earlier.
- The domain user must be granted delegation by the domain administrator.
- ArcGIS Enterprise must be configured to use Integrated Windows Authentication (required for Insights in ArcGIS Enterprise only).
Grant delegation to the Windows domain user
The domain administrator must grant delegation to a domain user. The domain user's account is used to delegate trust to other domain users.
Use the following steps to grant delegation to a domain user:
- Choose a domain account on which to grant delegation.
It is a best practice to use a domain account with a password that does not expire.
- Create a Service Principal Name (SPN) on the ArcGIS Server machine using the following command: setspn -s http/ <computerName> <userName>
- <computerName> is the fully qualified domain name (FQDN) from the ArcGIS Server machine (for example, servername.domain.com)
- <userName> is the domain user name created with delegation permissions.
Note the SPN for later steps.
- In the active directory on the ArcGIS Server machine, edit the properties to trust the user to delegate SQL Server services (MSSQLSvc) in the domain you want users to access.
The following properties must be used:
- Trust the user for delegation to specified services only
- Use any authentication protocol
- Create a key tab for the identified user domain. To create a key tab, the domain administrator must run the following ktpass commands:
ktpass /out <krb5.keytab file location> /princ <SPN> /mapuser <delegationUsername> /pass <delegationPassword> /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
- <SPN> is the SPN created in the previous step.
- <delegationUsername> is the user name of the chosen delegation account.
- <delegationPassword> is the password for the chosen delegation account
Use the following code block as an example:
ktpass /out C:\Windows\krb5.keytab /princ http/computer.example.com@EXAMPLE.COM /mapuser delegationUserName /pass pa$$word /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
- Ensure that the key tab location is specified in the Kerberos configuration file. The Kerberos configuration file must be located in one of the following paths:
- Windows: C:\Windows\krb5.ini
- Linux: /etc/krb5.conf
List the key tab file location in the krb5.ini or krb5.conf file in a line using the following format:
- Windows: default_keytab_name = file: C:\Windows\krb5.keytab
- Linux: default_keytab_name=file:/etc/krb5.keytab
If the Kerberos configuration does not exits, one can be created by the domain administrator. For more information, see Creating a Kerberos configuration file.