Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2003
    Posts
    3

    Unanswered: UDB CLient Authentication in WIndows Environment

    I am 90% thru a client server implementation of UDB 7.2. Server is Windows 2000, client is W2K as well.

    Both the servers and clients are in a single NT 4 domain (NTDOM) and so we went down the path of client authentication. This enabled us to not have to pass userid/passwords at connection. The UDB server 'trusted' the authentication performed at the client. Given that the client authenticated against the same NT domain as was used by the UDB server everything seemed OK.

    Today I discovered that I can create a LOCAL account on my client(say DBADMIN), logon locally (NOT TO NT DOMAIN NTDOM) and then issue DB2 CONNECT to PROD (no userid/password). The UDB server determines that I am a secure client and so accepts the userid of DBADMIN without further verification. It then proceeds to grant access based on the membership that DBADMIN has within NTDOM.

    I am sure I am not the only one to have been lead into this trap. Has anyone found a workable solution??? An exit? a wrapper? Or do I have to reengineer a solution based on SERVER authentication and put up with hardcoded userid/password strings lying around in files?

  2. #2
    Join Date
    Apr 2003
    Posts
    17

    Re: UDB CLient Authentication in WIndows Environment

    "Trusted" really does mean trusted. I don't know of anyway to differentiate. You're basically turning off any examination of credentials at the server.

    And yes, if you are running from a client machine with server authentication, you will have to send a password along from somewhere. Naturally the best route is to do as much as possible on the server or from an application server acting as intermediary.


    Originally posted by JCuthber
    I am 90% thru a client server implementation of UDB 7.2. Server is Windows 2000, client is W2K as well.

    Both the servers and clients are in a single NT 4 domain (NTDOM) and so we went down the path of client authentication. This enabled us to not have to pass userid/passwords at connection. The UDB server 'trusted' the authentication performed at the client. Given that the client authenticated against the same NT domain as was used by the UDB server everything seemed OK.

    Today I discovered that I can create a LOCAL account on my client(say DBADMIN), logon locally (NOT TO NT DOMAIN NTDOM) and then issue DB2 CONNECT to PROD (no userid/password). The UDB server determines that I am a secure client and so accepts the userid of DBADMIN without further verification. It then proceeds to grant access based on the membership that DBADMIN has within NTDOM.

    I am sure I am not the only one to have been lead into this trap. Has anyone found a workable solution??? An exit? a wrapper? Or do I have to reengineer a solution based on SERVER authentication and put up with hardcoded userid/password strings lying around in files?

  3. #3
    Join Date
    Apr 2003
    Posts
    191

    Re: UDB CLient Authentication in WIndows Environment

    Hi,

    looks like DB2 UDB v. 8 comes with Kerberos support. Havn't tried it and can't say if there are limitations (I bet there are). If you don't want to follow browen's recommendations this is probably the only way you can go.

  4. #4
    Join Date
    Jan 2003
    Posts
    3

    Talking

    Thanks for the comments.

    I spent a few hours trolling through GOOGLE and came up with a hit on a UDB parameter called DB2DOMAINLIST. This provides an additional check within the server to verify that the authentication occurred on a specified DOMAIN. This seems to solve my problem precisely. Thanks for the advice anyway.

    JC

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •