Redgate Flyway

Tutorial - Connect using Kerberos authentication

Page last updated 17 April 2026

FLYWAY TEAMS

This tutorial shows you how to connect Flyway to a database using Kerberos authentication.

Prerequisites:

  • Flyway Teams or Enterprise Edition
  • A SQL Server or Oracle instance configured for Kerberos authentication
  • A Kerberos Key Distribution Center (KDC) accessible from the machine running Flyway
  • A valid Kerberos configuration file (krb5.conf  or krb5.ini )
  • A valid Kerberos ticket or keytab for the authenticating principal

Configuring Kerberos for SQL Server

Step 1: Prepare configuration files

Kerberos configuration (krb5.conf):

[libdefaults]
    default_realm = EXAMPLE.COM
    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96

[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com
        admin_server = kdc.example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM


JDBC Kerberos login module configuration (SQLJDBCDriver.conf):

SQLJDBCDriver {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/path/to/flyway-service.keytab"
    storeKey=true
    useTicketCache=false
    principal="flyway-service@EXAMPLE.COM";
};

For interactive use (e.g. Flyway Desktop), set useKeyTab=false  and useTicketCache=true  to use an existing ticket cache instead of a keytab.

Step 2: Configure Flyway

Add authenticationScheme=JavaKerberos  to the JDBC URL and point Flyway to the configuration files.

Either configure then environment in your TOML configuration

[environments.production]
url = "jdbc:sqlserver://prod-server:1433;databaseName=mydb;authenticationScheme=JavaKerberos"

[flyway]
kerberosConfigFile = "/etc/krb5.conf"

[flyway.sqlserver]
kerberos.login.file = "/path/to/SQLJDBCDriver.conf"

Or specify directly on the command-line

flyway info \
  -url="jdbc:sqlserver://prod-server:1433;databaseName=mydb;authenticationScheme=JavaKerberos" \
  -kerberosConfigFile="/etc/krb5.conf" \
  -sqlserver.kerberos.login.file="/path/to/SQLJDBCDriver.conf"

Add the Kerberos parameters to flyway.toml  or flyway.user.toml. Flyway Desktop will use them when connecting to the environment. Ensure you have a valid ticket (e.g. by running `kinit` before launching Flyway Desktop).

Configuring Kerberos for Oracle

Flyway provides Oracle-specific parameters for the Kerberos configuration file and credential cache:

[environments.production]
url = "jdbc:oracle:thin:@prod-host:1521/ORCL"

[flyway.oracle]
kerberosConfigFile = "/etc/krb5.conf"
kerberosCacheFile = "/tmp/krb5cc_flyway"

Alternatively, Kerberos properties can be passed via JDBC properties:

[environments.production]
url = "jdbc:oracle:thin:@prod-host:1521/ORCL"

[environments.production.jdbcProperties]
oracle.net.authentication_services = "(KERBEROS5)"
oracle.net.kerberos5_cc_name = "/tmp/krb5cc_flyway"
oracle.net.kerberos5_mutual_authentication = "true"

[flyway]
kerberosConfigFile = "/etc/krb5.conf"

See the Oracle JDBC documentation for full details on Oracle Kerberos JDBC properties.



Didn't find what you were looking for?

Product Articles

Tips and how-to guides for Redgate products

University

Easy to follow video courses

Community Forums

Ask, discuss, and solve questions about Redgate's tools

Events & Friends

Meet us at an event, get sponsored, and join our Friends of Redgate

Simple Talk

In-depth articles and opinion from Redgate's technical journal