microsoft · shueybubbles · Oct 11, 2022 · Jul 8, 2022 · Jul 8, 2022 · Aug 12, 2022
diff --git a/README.md b/README.md
@@ -59,6 +59,16 @@ Other supported formats are listed below.
 * `Workstation ID` - The workstation name (default is the host name)
 * `ApplicationIntent` - Can be given the value `ReadOnly` to initiate a read-only connection to an Availability Group listener. The `database` must be specified when connecting with `Application Intent` set to `ReadOnly`.
 
+### Kerberos Parameters
+
+* `krb5conffile` - File path for kerberos configuration file.
+* `realm` - Domain name for kerberos authentication.
+* `keytabfile` - Keytab file path.
+* `krbcache` - Credential cache path.
+* For further information on usage: 
+  * <https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html>
+  * <https://web.mit.edu/kerberos/krb5-1.12/doc/basic/index.html>
+
 ### The connection string can be specified in one of three formats
 
 1. URL: with `sqlserver` scheme. username and password appears before the host. Any instance appears as
@@ -88,11 +98,17 @@ Other supported formats are listed below.
 
     ```
 
+* `sqlserver://username@host/instance?krb5conffile=path/to/file&krbcache=/path/to/cache`
+    * `sqlserver://username@host/instance?krb5conffile=path/to/file&realm=domain.com&keytabfile=/path/to/keytabfile`
+
 2. ADO: `key=value` pairs separated by `;`. Values may not contain `;`, leading and trailing whitespace is ignored.
      Examples:
 
     * `server=localhost\\SQLExpress;user id=sa;database=master;app name=MyAppName`
     * `server=localhost;user id=sa;database=master;app name=MyAppName`
+    * `server=localhost;user id=sa;database=master;app name=MyAppName;krb5conffile=path/to/file;krbcache=path/to/cache`
+    * `server=localhost;user id=sa;database=master;app name=MyAppName;krb5conffile=path/to/file;realm=domain.com;keytabfile=path/to/keytabfile`
+
 
     ADO strings support synonyms for database, app name, user id, and server
     * server <= addr, address, network address, data source
@@ -112,6 +128,8 @@ Other supported formats are listed below.
     * `odbc:server=localhost;user id=sa;password=foo}bar`   // Literal `}`, password is "foo}bar"
     * `odbc:server=localhost;user id=sa;password={foo{bar}` // Literal `{`, password is "foo{bar"
     * `odbc:server=localhost;user id=sa;password={foo}}bar}` // Escaped `} with`}}`, password is "foo}bar"
+    * `odbc:server=localhost;user id=sa;database=master;app name=MyAppName;krb5conffile=path/to/file;krbcache=path/to/cache`
+    * `odbc:server=localhost;user id=sa;database=master;app name=MyAppName;krb5conffile=path/to/file;realm=domain.com;keytabfile=path/to/keytabfile`
 
 ### Azure Active Directory authentication
 
@@ -322,6 +340,7 @@ db.QueryContext(ctx, `select * from t2 where user_name = @p1;`, mssql.VarChar(na
 * Supports Single-Sign-On on Windows
 * Supports connections to AlwaysOn Availability Group listeners, including re-direction to read-only replicas.
 * Supports query notifications
+* Supports Kerberos Authentication
 
 ## Tests
 

diff --git a/auth.go b/auth.go
@@ -0,0 +1,15 @@
+//go:build !windows
+// +build !windows
+
+package mssql
+
+import "github.com/microsoft/go-mssqldb/msdsn"
+
+func getAuthN(p msdsn.Config) (auth auth, authOk bool) {
+	if p.Kerberos != nil && p.Kerberos.Config != nil {
+		auth, authOk = getKRB5Auth(p.User, p.ServerSPN, p.Kerberos.Config, p.Kerberos.Keytab, p.Kerberos.Cache)
+	} else {
+		auth, authOk = getAuth(p.User, p.Password, p.ServerSPN, p.Workstation)
+	}
+	return
+}
diff --git a/auth_windows.go b/auth_windows.go
@@ -0,0 +1,11 @@
+//go:build windows
+// +build windows
+
+package mssql
+
+import "github.com/microsoft/go-mssqldb/msdsn"
+
+func getAuthN(p msdsn.Config) (auth auth, authOk bool) {
+	auth, authOk = getAuth(p.User, p.Password, p.ServerSPN, p.Workstation)
+	return
+}
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe
 	github.com/golang-sql/sqlexp v0.1.0
 	github.com/google/uuid v1.3.0 // indirect
+	github.com/jcmturner/gokrb5/v8 v8.4.2
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88
 	golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7 // indirect

diff --git a/go.sum b/go.sum
@@ -24,6 +24,24 @@ github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EO
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8=
+github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.2 h1:6ZIM6b/JJN0X8UM43ZOM6Z4SJzla+a/u7scXFJzodkA=
+github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
@@ -34,13 +52,17 @@ github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzL
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 h1:Tgea0cVUD0ivh5ADBX4WwuI12DUd2to3nCYe2eayMIw=
 golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA=
@@ -67,6 +89,7 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

diff --git a/kerbauth.go b/kerbauth.go
@@ -0,0 +1,123 @@
+package mssql
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/jcmturner/gokrb5/v8/client"
+	"github.com/jcmturner/gokrb5/v8/config"
+	"github.com/jcmturner/gokrb5/v8/credentials"
+	"github.com/jcmturner/gokrb5/v8/keytab"
+	"github.com/jcmturner/gokrb5/v8/spnego"
+)
+
+type krb5Auth struct {
+	username   string
+	realm      string
+	serverSPN  string
+	port       uint64
+	krb5Config *config.Config
+	krbKeytab  *keytab.Keytab
+	krbCache   *credentials.CCache
+	krb5Client *client.Client
+	state      krb5ClientState
+}
+
+func getKRB5Auth(user, serverSPN string, krb5Conf *config.Config, keytabContent *keytab.Keytab, cacheContent *credentials.CCache) (auth, bool) {
+	var port uint64
+	var realm, serviceStr string
+	var err error
+
+	params1 := strings.Split(serverSPN, ":")
+	if len(params1) != 2 {
+		return nil, false
+	}
+
+	params2 := strings.Split(params1[1], "@")
+	switch len(params2) {
+	case 1:
+		port, err = strconv.ParseUint(params1[1], 10, 16)
+		if err != nil {
+			return nil, false
+		}
+	case 2:
+		port, err = strconv.ParseUint(params2[0], 10, 16)
+		if err != nil {
+			return nil, false
+		}
+	default:
+		return nil, false
+	}
+
+	params3 := strings.Split(serverSPN, "@")
+	switch len(params3) {
+	case 1:
+		serviceStr = params3[0]
+		params3 = strings.Split(params1[0], "/")
+		params3 = strings.Split(params3[1], ".")
+		realm = params3[1] + "." + params3[2]
+	case 2:
+		realm = params3[1]
+		serviceStr = params3[0]
+	default:
+		return nil, false
+	}
+
+	return &krb5Auth{
+		username:   user,
+		serverSPN:  serviceStr,
+		port:       port,
+		realm:      realm,
+		krb5Config: krb5Conf,
+		krbKeytab:  keytabContent,
+		krbCache:   cacheContent,
+	}, true
+}
+
+func (auth *krb5Auth) InitialBytes() ([]byte, error) {
+	var cl *client.Client
+	var err error
+	// Init keytab from conf
+	if auth.krbKeytab != nil {
+		// Init krb5 client and login
+		cl = client.NewWithKeytab(auth.username, auth.realm, auth.krbKeytab, auth.krb5Config, client.DisablePAFXFAST(true))
+	} else {
+		cl, err = client.NewFromCCache(auth.krbCache, auth.krb5Config)
+		if err != nil {
+			return []byte{}, err
+		}
+	}
+	auth.krb5Client = cl
+	auth.state = initiatorStart
+	tkt, sessionKey, err := cl.GetServiceTicket(auth.serverSPN)
+	if err != nil {
+		return []byte{}, err
+	}
+
+	negTok, err := spnego.NewNegTokenInitKRB5(auth.krb5Client, tkt, sessionKey)
+	if err != nil {
+		return []byte{}, err
+	}
+
+	outToken, err := negTok.Marshal()
+	if err != nil {
+		return []byte{}, err
+	}
+	auth.state = initiatorWaitForMutal
+	return outToken, nil
+}
+
+func (auth *krb5Auth) Free() {
+	auth.krb5Client.Destroy()
+}
+
+func (auth *krb5Auth) NextBytes(token []byte) ([]byte, error) {
+	var spnegoToken spnego.SPNEGOToken
+	if err := spnegoToken.Unmarshal(token); err != nil {
+		err := fmt.Errorf("unmarshal APRep token failed: %w", err)
+		return []byte{}, err
+	}
+	auth.state = initiatorReady
+	return []byte{}, nil
+}