By using this site, you acknowledge that you have read and understand our Cookie policy, Privacy policy and Terms .

Java Programming

Java Programming related.

rss_feed Subscribe RSS


Recently, I have been working on an ETL framework to load various source data (i.e. files, SQL Server, Oracle and Teradata) into Teradata. Due to some limitations, Java was chosen as the implementation language though IBM Infosphere DataStage is available to use. DataStage has provided built-in ODBC drivers (from DataDirect) while JDBC drivers are available for almost all the databases. For example, Teradata provides JDBC sample codes about how to connect to Teradata using FASTLOAD, FASTLOADCSV and etc.

The whole development process using Java is smooth even I didn’t have any experience before. As a .NET engineer, it is pretty easy to start coding with Java. Only recently we met one issue about Kerberos authentication. Our framework needs to support Windows authentication for SQL Server. It is easy to implement in Windows client as we can use sqljdbc_auth.dll but we need to make it work in UNIX (IBM AIX) where our framework will reside in. So we choose pure Java Kerberos authentication. As I am not familiar with Kerberos authentication, it took about one day to read through all the posts and related documentations in the internet. To save your time, I am summarizing the steps required.


If you are not familiar with Kerberos authentication or its usage in SQL Server/Windows, I suggest you read through the following articles:

· MIT Kerberos Documentation:

· Java Kerberos Requirements:

· Using Kerberos Integrated Authentication to Connect to SQL Server:

As we are using Java Kerberos, some Java related executables are used to create configurations.

· Kinit or

· Ktab or or

We will use ktab to create principle and kinit to create ticket.

As we are using Java, all the configuration, tools or code will work in all the supported platforms, i.e. Windows, UNIX and Linux.

Create krb5.conf

The follow is one sample configuration file. If you need to understand the configuration items, please read through the MIT documentation. 

default_realm =
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
#default_keytab_name = /app/etl/krb5.keytab
default_keytab_name = C:\ETL\krb5.keytab

[realms] = {
kdc =
kdc =
[domain_realm] = =

In the above example, I am using keytab file to generate ticket. The kdc server name is normally the domain controller server name.

Find KDC in your Active Directory

If you don’t know your KDC server name in your domain, you can use the following command lines to find it out.

nltest /

Change the domain address to your own ones. In the output, DC is the domain controller which is also normally your KDC (Kerberos Distribution Centre) host name.

The command below will also give you a list of hostnames which you can configure.

nslookup -type=any _kerberos._tcp

Generate keytab file

As I am changing the default location of Java krb5.conf file, I need to specify Java system property “” to the location of configuration file.

   1:  java\ETL\krb5.conf -a tangr@

If you have access to any of the default file locations (documented in Java Kerberos documentation), you can directly use ktab command line to create the file.

In the above example, I am using IBM tool to create a principle named “tangr’ is the LANID in domain “”. The command line will ask you to input the password for the LANID.

The output is similar to the following:

Password for


Service key for principal saved

Keytab file “C:\ETL\krb5.keytab” will be created based on my configuration if it is not configured previously.

Initialize Ticket

Since we have keytab file created, we can now initialize ticket cache by using the following command:

   1:  java\ETL\krb5.conf -k tangr@

Similar to the ktab example, I am using IBM Kinit tool to generate. As we are using keytab, you don’t need to specify the password for your LANID again.


New ticket is stored in cache file C:\Users\tangr\krb5cc_tangr

The cached ticket is stored in user folder with name krb5cc_$username by default.

Connect to SQL Server in Java from Windows or UNIX/Linux

Once all the items are configured, you can initialize the ticket through Java code as well before creating SQL Server connection:

* Generate Kerberos authentication ticket.
* @param configFilePath
* Path of krb5.conf file.
* @param principalName
* Principal name to use to generate ticket.
* @param javaPath
* Java path
* @throws Exception
public void generateTicket(String configFilePath, String principalName, String javaPath) throws Exception {
     System.setProperty("", configFilePath);
     String[] envp = { javaPath, "" + configFilePath,
     "", "-k", principalName };
     ProcessBuilder pb = new ProcessBuilder(envp);
     log.logMessage("Command line is: " + envp.toString());
     Process process = pb.start();
     BufferedReader in = new BufferedReader(new InputStreamReader(process.getInputStream()));
     String line;
     StringBuilder output = new StringBuilder();
     while ((line = in.readLine()) != null) {

In the above code, “principalName” is the one which you initialized ticket for, which is also the account that will be used to connect to your database. In my example, principleName is tangr@ “javaPath” can be specified as full path of java.exe or java based on your environment and system path settings. You don’t need to specify username or password for creating connection when using Kerberos.

conn = DriverManager.getConnection(jdbcString, null, null);

The following is one example of JDBC connection string when using Kerberos authentication:

   1:  jdbc:sqlserver://;integratedSecurity=true;databaseName=myDatabase;authenticationScheme=JavaKerberos;

‘54555’ is the SQL Server service port number. JDBC will automatically build the principle name based on connection string for you. In SQL Server JDBC 4.2 or later version (requires Java version 52.0/1.8), you can specify the principle name as well in connection string.

Fix Some Issues

Unable to obtain Princpal Name for authentication

If you got the above exception, it means you didn’t generate cached ticket for the principle. Integrated authentication failed.

Caused by: Unable to obtain Princpal Name for authentication




at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(

at java.lang.reflect.Method.invoke(





at Method)




Illegal key size or default parameters

If you got this exception, that means your krb5.conf is not correctly configured for encryption method.

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

I got this issue when our AD was configured not to avoid AES256 while I previously added it into the above configuration. Once I remove that algorithm from the list, the problem is resolved.

info Last modified by Raymond at 4 years ago
info About author

info License/Terms

More from Kontext

local_offer SQL Server local_offer Java local_offer kerberos local_offer NTLM

visibility 1199
comment 0
thumb_up 0
access_time 9 months ago

With Microsoft SQL Server JDBC driver, you can connect to the database through SQL Server Authentication or Kerberos Authentication. This post summarizes the configurations required for each authentication method with coding examples. *NTLM block in the following diagram represents pure Jav...

open_in_new View

local_offer Java local_offer lite-log local_offer hive

visibility 536
comment 0
thumb_up 0
access_time 10 months ago

This post shows you how to connect to HiveServer2 via Hive JDBC driver in Java. *The way to connect to HiveServer1 is very similar though the driver names are different: Version Drive...

open_in_new View

local_offer Java local_offer bigquery local_offer gcp local_offer dataflow local_offer gcs

visibility 5046
comment 0
thumb_up 1
access_time 2 years ago

This page documents the detailed steps to load CSV file from GCS into BigQuery using Dataflow to demo a simple data flow creation using Dataflow Tools for Eclipse. However it doesn’t necessarily mean this is the right use case for DataFlow. Alternatively ...

open_in_new View

local_offer .NET local_offer Java local_offer Web Services

visibility 349
comment 0
thumb_up 0
access_time 11 years ago

Keywords: .Net , Java EE, Eclipse, Web Services, GlassFish, jws由于工作的需要,我们的.Net项目需要引用一个java平台下的Web Service 为了便于开发,自己先通过Eclipse建了一个Java的WebService,然后通过Java SDK中自带的GlassFish 服务器发布,然后在.Net项目中添加Web 引用,具体方法如下面所示(由于自己今天第一次学习java 第一次用到Eclipse 所以若有错误请大家见谅):

open_in_new View

comment Comments (2)
Please log in or register to comment. account_circle Log in person_add Register
account_circle Raymond
@susan Hi please refer to the KTab and KInit links in the page to generate principle: As we are using Java Kerberos, some Java related executables are used to create configurations. · Kinit or · Ktab or or

person susan access_time 3 years ago
Re:Java Kerberos Authentication Configuration Sample & SQL Server Connection Practice

can you provide the detail steps on fix the Unable to obtain Principal Name for authentication. I have been search this one. Your posting identified the issue
reply Reply
account_circle susan
can you provide the detail steps on fix the Unable to obtain Principal Name for authentication. I have been search this one. Your posting identified the issue
reply Reply