CF2023 Kerberos Authentication running on Windows IIS

Report · Oct 14, 2025

I have a internal coldfusion 2023 application running on Windows 2022 server OS with IIS. We have been using MS SQL authentication to connect to the SQL database but organization recently changed policies to use Windows authentication using Kerberos ONLY. I am able to sucessfully connect to the database using NTLM but my org is not accepting NTLM as it is outdated.

I went through the online articles followed the steps but I feel like I am missing something that is required for Kerberos authentication. I am able to successfully connect to the same database from a .NET application running on a Containarized application with Kerberos. Below is what I have done so far but no luck in CF 2023

Changed the Coldfusion 2023 service to run as Domain account (DEV\userLAN)
Changed the Coldfusion 2023 service to run as ServiceAccount (DEV\ServiceAccountName)
used SQL JDBC server with integratedSecurity=true in AdvancedSettings under Data Source in Administrator
Also tried with JavaKerberos as authentication mechanism in AdvancedSettings

I havebeen trying to find the solution but there is no luck so far. Any help is highly appreciated

How to know if the SPN is correctly configured? does the SPN needs to be registered with the Domain account used in the CF 2023 applicaiton service under services.msc or Does it need to be registered with Windows Server name?
Is there anything that you think I am missing?

Thank you

- Gowtham

Report · Oct 14, 2025

Good luck with that, sincerely. I've looked into it more than once over the years and never could get it working. Maybe there's some simple step we're missing--which perhaps someone else here will enlighten us with. But I've never found any documentation of how to get it all going.

Of course half the battle is having sql server (and the infrastructure) setup for Kerberos. You've got that working, so maybe you're really close.

If no one here solves it, reach out to Adobe support at cfsup@adobe.com. Then I hope you'd fill us all in on the solution--and that they'd better document it. Others definitely want to get this working.

/Charlie (troubleshooter, carehart. org)

Report · Oct 22, 2025

Thank you for the quick response. after struggling for multiple days. I am able to successfully login manually using Kerberos authentication.

running the coldfusion service under domain account DEV\svcaccount
used jdbc:sqlserver://sqlserver.domain.com:1433;integratedSecurity=true;authenticationShceme=javaKerberos;database=dbname;trustServerCertificate=true;encrypt=true;
Driver Class: com.microsoft.sqlserver.jdbc.SQLServerDriver
Driver Name: mssql-jdbc-12.8.1.jre8.jar
When I run kilst command and enter "svcaccount@domain.com" I get a success response saying ticket cache under c:\users\myuser\krb5cc_myuser
at this point, if I go back to CF administarto and enter the jdbc configuration as listed above and hit submit I am getting successful login message

If I clear the tickets with "klist purge" and go back to CF administrtor getting error message

com.microsoft.sqlserver.jdbc.SQLServerException: Kerberos Login failed: Integration authentication failed due to javax.security.auth.login.LoginException (Cannot get any of properties: [user,USER] from con properties not available to garner authentication information from the user)

I believe I am close but I am missing something here for sure, any help is hightly appreciated

Report · Oct 14, 2025

There are a couple of non-obvious things going on here. First, by default, ColdFusion 2023 uses the Progress DataDirect for JDBC library for SQL Server, which is a third-party driver that's not exactly the same as Microsoft's own JDBC driver. I haven't checked the details that closely, but the connection string properties are different. You have a couple ways you could go here.

1. Change the connection string properties to work with the DataDirect JDBC driver
A sample is shown here:
https://docs.progress.com/bundle/datadirect-microsoft-sql-server-jdbc-60/page/Connection-URL-example...

and looks like this:

jdbc:datadirect:sqlserver://myserver:1433;
DatabaseName=sqlserverDB;AuthenticationMethod=kerberos;
ServicePrincipalName=MSSQLSvc/myserver.example.com:1433@EXAMPLE.COM;

With CF you can edit your connection string directly although the default way to edit it is just to fill out the standard form. I think you'll need to edit it directly to add the service principal name. Note the AuthenticationMethod value is "kerberos", not "JavaKerberos" - I think the second one is specifically for Microsoft's own JDBC driver. You'll probably also want to read this for more information about the ServicePrincipalName (SPN) attribute:
https://docs.progress.com/bundle/datadirect-microsoft-sql-server-jdbc-60/page/Kerberos-authenticatio...

My (vague) understanding is that it should match the CF user account. Pay close attention to step 5 in the second link, and read the links at the bottom of this page.

2. Switch to Microsoft's own JDBC driver.

Instructions for using external JDBC drivers can be found here:

https://helpx.adobe.com/coldfusion/configuring-administering/data-source-management-for-coldfusion.h...

I think Microsoft's own JDBC driver is generally fine, though I'd be reluctant to flip the switch from DataDirect to Microsoft (or vice-versa) on a busy production environment.

Second, I'm not sure what your overall Kerberos environment looks like. Are you using Entra ID? Constrained delegation? It might be a little harder to use CF as a Kerberos client. You might want to examine exactly what's going on with your working .NET application. You can use the handy klist command line tool to find out what your local Kerberos tickets look like on the .NET application server.

Dave Watts, Eidolon LLC

Report · Oct 22, 2025

Thank you for the quick response. after struggling for multiple days. I am able to successfully login manually using Kerberos authentication.

running the coldfusion service under domain account DEV\svcaccount
used jdbc:sqlserver://sqlserver.domain.com:1433;integratedSecurity=true;authenticationShceme=javaKerberos;database=dbname;trustServerCertificate=true;encrypt=true;
Driver Class: com.microsoft.sqlserver.jdbc.SQLServerDriver
Driver Name: mssql-jdbc-12.8.1.jre8.jar
When I run kilst command and enter "svcaccount@domain.com" I get a success response saying ticket cache under c:\users\myuser\krb5cc_myuser
at this point, if I go back to CF administarto and enter the jdbc configuration as listed above and hit submit I am getting successful login message

If I clear the tickets with "klist purge" and go back to CF administrtor getting error message

com.microsoft.sqlserver.jdbc.SQLServerException: Kerberos Login failed: Integration authentication failed due to javax.security.auth.login.LoginException (Cannot get any of properties: [user,USER] from con properties not available to garner authentication information from the user)

I believe I am close but I am missing something here for sure, any help is hightly appreciated.

I have no clude if the set up Entra-ID or a non-Entra ID implementation.

Report · Oct 22, 2025

I'm a little confused. Does this mean you successfully connected to your database via Kerberos, or not? It looks to me like you did. You shouldn't need to purge your Kerberos tickets unless you're troubleshooting it.

As for whether you're using Entra or not, you should be able to check by using klist (not klist purge) to view your Ticket Granting Ticket (TGT). It should show KERBEROS.MICROSOFTONLINE.COM as the Kerberos realm. I read you should also get something called a Primary Refresh Token, but I have no idea how you'd tell that with klist. I don't really have any experience with Kerberos via Entra ID. There's a lot of relevant information at the below link, but too much for me to read all of it.

https://learn.microsoft.com/en-us/entra/identity/authentication/kerberos

Dave Watts, Eidolon LLC