Using Liquibase and MSSQL Server with Integrated Security and Kerberos Authentication

If your application runs on a Linux or Windows-based intranet, you can use the integrated authentication to access your database. Integrated security uses the identity established on the operating system thread to access MSSQL Server.

Kerberos is an authentication protocol that works based on tickets to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos authentication protocol does not store passwords locally or send them over the Internet.


  1. Introduction to Liquibase – Dive into Liquibase concepts.
  2. Install Liquibase – Download Liquibase on your machine.
  3. Get Started with Liquibase – Learn how to use Liquibase with an example database.
  4. Design Your Liquibase Project – Create a new Liquibase project folder and organize your changelogs
  5. How to Apply Your Liquibase Pro License Key – If you use Liquibase Pro, activate your license.

Configuring the Liquibase and Kerberos connection

  1. Run the kinit command to obtain and cache Kerberos ticket-granting tickets. To verify and list the new information from the krb5cc file, you can also run the klist command. For example:
  2. kinit lbuser
    Password for lbuser@MYDOMAIN.COM:
    Ticket cache: FILE:/temp/krb5cc
    Default principal: @MYDOMAIN.COM
  3. Specify the database URL in the file (defaults file), along with other properties you want to set a default value for. Liquibase does not parse the URL. You can either specify the full database connection string or specify the URL using your database's standard JDBC format:
  4. url: jdbc:sqlserver://<host name or endpoint>:1433;IntegratedSecurity=true;databaseName=<database name>;authenticationScheme=JavaKerberos;useTicketCache=true;doNotPrompt=true;moduleBanner=false;ServerSpn=MSSQLSvc/<hostname><FQDN>:1433@MYDOMAIN.COM;
  5. Include the following JAVA_OPTS arguments to ensure you have all the necessary Java arguments:
  6. JAVA_OPTS=" -DuseTicketCache=true"
  7. Run the liquibase status command to ensure the connection works.
  8. JAVA_OPTS=" -DuseTicketCache=true" 
    liquibase status --verbose
  9. (Optional) If you want to use the SQLCMD native executor with Kerberos, you must first set the KRB5CCNAME environment variable:
  10. export KRB5CCNAME=<path to ticket file>

    Then run Liquibase:

    KRB5CCNAME=<path to ticket file>
    JAVA_OPTS=" -DuseTicketCache=true" 
    liquibase status --verbose