Grant delegation to the Windows domain user

Database connections to Microsoft SQL Server databases have two possible authentication methods: SQL Server authentication and Windows authentication. SQL Server authentication uses a SQL Server user name and password to authenticate. Windows authentication uses a local Windows user account or trusted domain account.

The following prerequisites are required before OS authentication can be used to create a database connection:

• The domain user must be granted delegation by the domain administrator.
• ArcGIS Enterprise must be configured to use Integrated Windows Authentication (required for Insights in ArcGIS Enterprise only).

The domain administrator must grant delegation to a domain user. The domain user's account is used to delegate trust to other domain users.

Use the following steps to grant delegation to a domain user:

1. Choose a domain account on which to grant delegation.

   It is best practice to use a domain account with a password that does not expire.

2. Create a Service Principal Name (SPN) on the ArcGIS Server machine using the following command: setspn -s http/ <computerName> <userName>

   where:

   • <computerName> is the fully qualified domain name (FQDN) from the ArcGIS Server machine (for example, servername.domain.com)
   • <userName> is the domain user name created with delegation permissions.

   Note the SPN for later steps.

3. In the active directory on the ArcGIS Server machine, edit the properties to trust the user to delegate SQL Server services (MSSQLSvc) in the domain you want users to access.

   The following properties must be used:

   • Trust the user for delegation to specified services only
   • Use any authentication protocol

4. Create a key tab for the identified user domain.

   To create a key tab, the domain administrator must run the following ktpass commands:

   ktpass /out <krb5.keytab file location> /princ <SPN> /mapuser <delegationUsername> /pass <delegationPassword> /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

   where:

   • <SPN> is the SPN created in the previous step.
   • <delegationUsername> is the user name of the chosen delegation account.
   • <delegationPassword> is the password for the chosen delegation account

   Use the following code block as an example:

   ktpass /out C:\Windows\krb5.keytab /princ http/computer.example.com@EXAMPLE.COM /mapuser delegationUserName /pass pa$$word /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

5. Ensure that the key tab location is specified in the Kerberos configuration file. The Kerberos configuration file must be located in one of the following paths:

   • Windows: C:\Windows\krb5.ini
   • Linux: /etc/krb5.conf

List the key tab file location in the krb5.ini or krb5.conf file in a line using the following format:

• Windows: default_keytab_name = file: C:\Windows\krb5.keytab
• Linux: default_keytab_name=file:/etc/krb5.keytab

Note:
If the Kerberos configuration does not exits, one can be created by the domain administrator. For more information, see Creating a Kerberos configuration file.