Skip to main content
C
Cheerful_Whisper3883
Participant
October 15, 2025
Question

CF2023 Kerberos Authentication running on Windows IIS

  • October 15, 2025
  • 2 replies
  • 296 views

I have a internal coldfusion 2023 application running on Windows 2022 server OS with IIS. We have been using MS SQL authentication to connect to the SQL database but organization recently changed policies to use Windows authentication using Kerberos ONLY. I am able to sucessfully connect to the database using NTLM but my org is not accepting NTLM as it is outdated.

I went through the online articles followed the steps but I feel like I am missing something that is required for Kerberos authentication. I am able to successfully connect to the same database from a .NET application running on a Containarized application with Kerberos. Below is what I have done so far but no luck in CF 2023

  • Changed the Coldfusion 2023 service to run as Domain account (DEV\userLAN)
  • Changed the Coldfusion 2023 service to run as ServiceAccount (DEV\ServiceAccountName)
  • used SQL JDBC server with integratedSecurity=true in AdvancedSettings under Data Source in Administrator
  • Also tried with JavaKerberos as authentication mechanism in AdvancedSettings

I havebeen trying to find the solution but there is no luck so far. Any help is highly appreciated

 

  • How to know if the SPN is correctly configured? does the  SPN needs to be registered with the Domain account used in the CF 2023 applicaiton service under services.msc or Does it need to be registered with Windows Server name?
  • Is there anything that you think I am missing?

 

Thank you

- Gowtham

    2 replies

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    October 15, 2025

    There are a couple of non-obvious things going on here. First, by default, ColdFusion 2023 uses the Progress DataDirect for JDBC library for SQL Server, which is a third-party driver that's not exactly the same as Microsoft's own JDBC driver. I haven't checked the details that closely, but the connection string properties are different. You have a couple ways you could go here.

     

    1. Change the connection string properties to work with the DataDirect JDBC driver
    A sample is shown here:
    https://docs.progress.com/bundle/datadirect-microsoft-sql-server-jdbc-60/page/Connection-URL-examples.html#Connection-URL-examples__kerberos

    and looks like this:

    jdbc:datadirect:sqlserver://myserver:1433;
    DatabaseName=sqlserverDB;AuthenticationMethod=kerberos;
    ServicePrincipalName=MSSQLSvc/myserver.example.com:1433@EXAMPLE.COM;

    With CF you can edit your connection string directly although the default way to edit it is just to fill out the standard form. I think you'll need to edit it directly to add the service principal name. Note the AuthenticationMethod value is "kerberos", not "JavaKerberos" - I think the second one is specifically for Microsoft's own JDBC driver. You'll probably also want to read this for more information about the ServicePrincipalName (SPN) attribute:
    https://docs.progress.com/bundle/datadirect-microsoft-sql-server-jdbc-60/page/Kerberos-authentication.html#Kerberos-authentication

    My (vague) understanding is that it should match the CF user account. Pay close attention to step 5 in the second link, and read the links at the bottom of this page.

     

    2. Switch to Microsoft's own JDBC driver.

    Instructions for using external JDBC drivers can be found here:

    https://helpx.adobe.com/coldfusion/configuring-administering/data-source-management-for-coldfusion.html

    I think Microsoft's own JDBC driver is generally fine, though I'd be reluctant to flip the switch from DataDirect to Microsoft (or vice-versa) on a busy production environment.

     

    Second, I'm not sure what your overall Kerberos environment looks like. Are you using Entra ID? Constrained delegation? It might be a little harder to use CF as a Kerberos client. You might want to examine exactly what's going on with your working .NET application. You can use the handy klist command line tool to find out what your local Kerberos tickets look like on the .NET application server.

     

    Dave Watts, Eidolon LLC
    C
    Cheerful_Whisper3883Author
    Participant
    October 22, 2025

    Thank you for the quick response. after struggling for multiple days. I am able to successfully login manually using Kerberos authentication.

    • running the coldfusion service under domain account DEV\svcaccount
    • used jdbc:sqlserver://sqlserver.domain.com:1433;integratedSecurity=true;authenticationShceme=javaKerberos;database=dbname;trustServerCertificate=true;encrypt=true;
    • Driver Class: com.microsoft.sqlserver.jdbc.SQLServerDriver
    • Driver Name: mssql-jdbc-12.8.1.jre8.jar
    • When I run kilst command and enter "svcaccount@domain.com" I get a success response saying ticket cache under c:\users\myuser\krb5cc_myuser
    • at this point, if I go back to CF administarto and enter the jdbc configuration as listed above and hit submit I am getting successful login message

     

    If I clear the tickets with "klist purge" and go back to CF administrtor getting error message

    com.microsoft.sqlserver.jdbc.SQLServerException: Kerberos Login failed: Integration authentication failed due to javax.security.auth.login.LoginException (Cannot get any of properties: [user,USER] from con properties not available to garner authentication information from the user)

     

    I believe I am close but I am missing something here for sure, any help is hightly appreciated.

     

    I have no clude if the set up Entra-ID or a non-Entra ID implementation.

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    October 22, 2025

    I'm a little confused. Does this mean you successfully connected to your database via Kerberos, or not? It looks to me like you did. You shouldn't need to purge your Kerberos tickets unless you're troubleshooting it.

     

    As for whether you're using Entra or not, you should be able to check by using klist (not klist purge) to view your Ticket Granting Ticket (TGT). It should show KERBEROS.MICROSOFTONLINE.COM as the Kerberos realm. I read you should also get something called a Primary Refresh Token, but I have no idea how you'd tell that with klist. I don't really have any experience with Kerberos via Entra ID. There's a lot of relevant information at the below link, but too much for me to read all of it.

     

    https://learn.microsoft.com/en-us/entra/identity/authentication/kerberos

     

    Dave Watts, Eidolon LLC
    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    October 15, 2025

    Good luck with that, sincerely. I've looked into it more than once over the years and never could get it working. Maybe there's some simple step we're missing--which perhaps someone else here will enlighten us with. But I've never found any documentation of how to get it all going.

     

    Of course half the battle is having sql server (and the infrastructure) setup for Kerberos. You've got that working, so maybe you're really close.

     

    If no one here solves it, reach out to Adobe support at cfsup@adobe.com. Then I hope you'd fill us all in on the solution--and that they'd better document it. Others definitely want to get this working. 

    /Charlie (troubleshooter, carehart. org)
    C
    Cheerful_Whisper3883Author
    Participant
    October 22, 2025

    Thank you for the quick response. after struggling for multiple days. I am able to successfully login manually using Kerberos authentication.

    • running the coldfusion service under domain account DEV\svcaccount
    • used jdbc:sqlserver://sqlserver.domain.com:1433;integratedSecurity=true;authenticationShceme=javaKerberos;database=dbname;trustServerCertificate=true;encrypt=true;
    • Driver Class: com.microsoft.sqlserver.jdbc.SQLServerDriver
    • Driver Name: mssql-jdbc-12.8.1.jre8.jar
    • When I run kilst command and enter "svcaccount@domain.com" I get a success response saying ticket cache under c:\users\myuser\krb5cc_myuser
    • at this point, if I go back to CF administarto and enter the jdbc configuration as listed above and hit submit I am getting successful login message

     

    If I clear the tickets with "klist purge" and go back to CF administrtor getting error message

    com.microsoft.sqlserver.jdbc.SQLServerException: Kerberos Login failed: Integration authentication failed due to javax.security.auth.login.LoginException (Cannot get any of properties: [user,USER] from con properties not available to garner authentication information from the user)

     

    I believe I am close but I am missing something here for sure, any help is hightly appreciated

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices