Hi:
I've been tasked with auditing on some information security aspects of our db2 servers in our organization.To brief it up,we are:

Clients:1500 gupta applications on windows xp workstations
Windows Active Directory Infrastructure for clients (i.e, clients logon to windows domain)
01 db2 server

I also agree being not being very savvy on some db2 technical issues specially on developing client-side applications.

Anyways, during a documentation review something come up to my atention and that was authentication model being used by the client applications that uses db2 server.It was clear to me that authentication is accomplished by db2 server itself because passwords are stored in db2 server in a special user table which is crypted by defacto encrypt function of db2 server.

As far as i understand,db2 can interact with active Directory for authentication purposes and that would avoid storing passwords in db2 table which seems to me very questionable.

My question would be if this interaction between db2 and ms active directory as authentication solution for gupta application is a typical task and not something that current database administrator could have arguments against such integration complexity.
Any other alternative for authentication model would be great too since current password storage is unacceptable as i see it.

Thank you

Otb.

DB2 does not do authentication - it delegates the task to the operating system. This means, in particular, that a DB2 server on Windows will ask Windows to authenticate users first in AD, then locally on the server.

Since DB2 does not authenticate users itself, the user IDs and passwords stored in a special table that you are referring to must belong to the application, and the question really is about your application being able to authenticate against AD.

Having as a reference: Authentication methods for your server

i think it all comes down to Kerberos-authentication vs a method where application authenticates itself by checking user credentials against information stored in a db2 table.

Given an environment of application development for db2, is it a regular or acceptable practice to store userids and passwords in a db2 table so the applications authenticate with user credentials stored?

I know this may sound simplistic, but how difficult is to implement a kerberos-authentication method with DB2?

Thank you

So, you don't want Active Directory anymore?

I has nothing to do with DB2 - it's the application architecture

It probably isn't very difficult, once you have Kerberos authentication set up on all your servers.