From b6e88d33b3967b42020aa8dbc8429f41f2a0afb8 Mon Sep 17 00:00:00 2001
From: Nick Couchman <vnick@apache.org>
Date: Mon, 14 Aug 2017 22:14:15 -0400
Subject: [PATCH] GUACAMOLE-363: Initial commit of SQLServer authentication
 module for JDBC.

---
 .../guacamole-auth-jdbc-sqlserver/.gitignore  |   2 +
 .../guacamole-auth-jdbc-sqlserver/pom.xml     | 128 ++++++++
 .../schema/001-create-schema.sql              | Bin 0 -> 35118 bytes
 .../schema/002-create-admin-user.sql          |  43 +++
 .../SQLServerAuthenticationProvider.java      |  50 +++
 ...SQLServerAuthenticationProviderModule.java |  91 ++++++
 .../auth/sqlserver/SQLServerEnvironment.java  | 306 ++++++++++++++++++
 .../SQLServerGuacamoleProperties.java         | 200 ++++++++++++
 .../sqlserver/SQLServerInjectorProvider.java  |  49 +++
 .../sqlserver/SQLServerPasswordPolicy.java    | 194 +++++++++++
 ...SQLServerSharedAuthenticationProvider.java |  50 +++
 .../auth/sqlserver/package-info.java          |  23 ++
 .../src/main/resources/guac-manifest.json     |  28 ++
 .../auth/jdbc/connection/ConnectionMapper.xml | 235 ++++++++++++++
 .../connection/ConnectionParameterMapper.xml  |  68 ++++
 .../connection/ConnectionRecordMapper.xml     | 216 +++++++++++++
 .../connectiongroup/ConnectionGroupMapper.xml | 232 +++++++++++++
 .../ConnectionGroupPermissionMapper.xml       | 130 ++++++++
 .../permission/ConnectionPermissionMapper.xml | 130 ++++++++
 .../SharingProfilePermissionMapper.xml        | 130 ++++++++
 .../permission/SystemPermissionMapper.xml     | 101 ++++++
 .../jdbc/permission/UserPermissionMapper.xml  | 137 ++++++++
 .../sharingprofile/SharingProfileMapper.xml   | 126 ++++++++
 .../SharingProfileParameterMapper.xml         |  68 ++++
 .../auth/jdbc/user/PasswordRecordMapper.xml   |  79 +++++
 .../guacamole/auth/jdbc/user/UserMapper.xml   | 216 +++++++++++++
 extensions/guacamole-auth-jdbc/pom.xml        |   1 +
 27 files changed, 3033 insertions(+)
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/.gitignore
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/pom.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/001-create-schema.sql
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/002-create-admin-user.sql
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProvider.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProviderModule.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerEnvironment.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerGuacamoleProperties.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerInjectorProvider.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerPasswordPolicy.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerSharedAuthenticationProvider.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/package-info.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/guac-manifest.json
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserPermissionMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileParameterMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/.gitignore b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/.gitignore
new file mode 100644
index 000000000..42f4a1a64
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/.gitignore
@@ -0,0 +1,2 @@
+target/
+*~
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/pom.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/pom.xml
new file mode 100644
index 000000000..82776f7d0
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/pom.xml
@@ -0,0 +1,128 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+                        http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.apache.guacamole</groupId>
+    <artifactId>guacamole-auth-jdbc-sqlserver</artifactId>
+    <packaging>jar</packaging>
+    <name>guacamole-auth-jdbc-sqlserver</name>
+    <url>http://guacamole.incubator.apache.org/</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <parent>
+        <groupId>org.apache.guacamole</groupId>
+        <artifactId>guacamole-auth-jdbc</artifactId>
+        <version>0.9.13-incubating</version>
+        <relativePath>../../</relativePath>
+    </parent>
+
+    <build>
+        <plugins>
+
+            <!-- Written for 1.6 -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.3</version>
+                <configuration>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                    <compilerArgs>
+                        <arg>-Xlint:all</arg>
+                        <arg>-Werror</arg>
+                    </compilerArgs>
+                    <fork>true</fork>
+                </configuration>
+            </plugin>
+
+            <!-- Copy dependencies prior to packaging -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <version>2.10</version>
+                <executions>
+                    <execution>
+                        <id>unpack-dependencies</id>
+                        <phase>prepare-package</phase>
+                        <goals>
+                            <goal>unpack-dependencies</goal>
+                        </goals>
+                        <configuration>
+                            <includeScope>runtime</includeScope>
+                            <outputDirectory>${project.build.directory}/classes</outputDirectory>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+
+            <!-- Verify format using Apache RAT -->
+            <plugin>
+                <groupId>org.apache.rat</groupId>
+                <artifactId>apache-rat-plugin</artifactId>
+                <version>0.12</version>
+
+                <configuration>
+                    <excludes>
+                        <exclude>**/*.json</exclude>
+                    </excludes>
+                </configuration>
+
+                <!-- Bind RAT to validate phase -->
+                <executions>
+                    <execution>
+                        <id>validate</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+
+            </plugin>
+
+        </plugins>
+    </build>
+
+    <dependencies>
+
+        <!-- Guacamole Extension API -->
+        <dependency>
+            <groupId>org.apache.guacamole</groupId>
+            <artifactId>guacamole-ext</artifactId>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Guacamole JDBC Authentication -->
+        <dependency>
+            <groupId>org.apache.guacamole</groupId>
+            <artifactId>guacamole-auth-jdbc-base</artifactId>
+            <version>0.9.13-incubating</version>
+        </dependency>
+
+    </dependencies>
+
+</project>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/001-create-schema.sql b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/001-create-schema.sql
new file mode 100644
index 0000000000000000000000000000000000000000..df95800ec6f91545eac5bdafd9d1a8d8e2bf31ed
GIT binary patch
literal 35118
zcmeHQYi}L55#`qw=zm!FOXb3~YsX2`6alK};TW-HSCZSNg0YbGu${`1t1HKLetg?=
zICn&Hmt5}as(LIgbRWCqa5#^{87@iv_doZ{@9_GK`L!wVS(qp0t=TgN=Ge^ezK<(s
z=ET0g!SBK>oA+iHCFIu@?j54UM_fC#_t$ad18VQ%${A>#;Co?~P;bkuo7?y<cMnj$
zuy+r<)=%u!cepOp_H2nW{CaC%p(c4@y`zB30&TsvH4e->%ljF)zl(AOT0O9Qoy|Gk
zFwe}kd2Ck98txu~&Jpgr{_o?;4DGlUMG7Broir$qH?~ZHUXz=DSvtbkF8WOh+Vfpd
zFYx;qEwRKqPb#iW_Vu-uAnP9EdjScbK+>NrAFt8k8Lpk6#bcB`1&8F}{k)Ic_$9ib
zjH}X_;fmwA-eb}4XHfrulD>9WtFH6VLhhi>-{w52wjY46Kj8Y3ZP%CXt%`l!f<^op
zCAD?R=QDmEgB$kvgSEmK{{`CoWG(f*ElIhF)ZRfZw2xg}p(Q&xhdN}>!oG;b{5Y3{
z@^S*pI|DUoVRzmNbwiCD;$7twQlnL#owx3|pjA?zXW;W2a}TeN_H`HKop0R*?NeC7
zy^5{RaOKI|em7v<Yv%Vx<gG2}XJKAI0<`WKUInNfn14f}Z|ygF_AA>5wki_a0|&2c
z4cgEyxMC0KZ_d9QB8WUb;=b5B?e@-je+#r(#fFq`#cZxBOL}EteJkdjf-=;&>-{Z@
zIR#|3Wp1JFclI}b(PsaS>)Ymgpur1#^7pdY#B14XSbSJRxdL}L@xFr34YO)%JhtEE
z9(|4FfAm`Y0i{@$Z5&w1(1$2P+Ut8Od(nqT_AM|$q)(iQV^&obf+cEquE#S_I)Kf;
zwYav2HmODG<%88AE&esM^0VdW807?OSc}+18PD)eX;Rv(OMM^V8t>8z6xn88pY!^=
zdtUmU{YIW&SnDm!&YZtJ^U~gX1PSxLj7%Jz_@XXenV)R`&fqtK?J^G0Q++zS;P%AY
z@k?7y%hFN>Emmz$4lJFo(b9eM5bqCwTKCN#QRh#%^AO*^F<;=lFwf0XyelvKlzyzh
zKGt9Z+jcbBf~9<qZ%=V0#SeSdzK5I896gxSVp=M#Zs-vg+tW>G?}_cR)1EK&yRG=8
zEEpH?^DpN;p~r5Z$4ln7bLp<)+a3J9fF4%o(v~Z$;DLNl{&Hm*C7xOe^mJa|#GTt6
zEz6ht3@AwnGqxzNoEExrpVx_R^W_{HHz4N~i<?ABYNEh<zGMks*o0?Ov+-J6@F*fP
zZQ>E+|J;^e$8YLAUPq9HdKW&%v56P30^;N<-Wf$P65GcwV&X3P{@L0_%I{Miaj|~8
zjj`%E<kpAFbt`$|;12r!Gx~grvF45ad<k#85A<YwFA+9Bi4jjadfsp;=Pmy7$-EuU
zISqV)5p1{ywxLmt0@LU&nHhax?>r`0v|JhOGFD^EwFLwy&uvWNv5mmiwDezLhs^ob
z;HxESam<hyk0`?Nfw4tc*GH}bb(ax6=El3YM3yX1zk<)i?w7!keLHsVSVWO=+~<)V
zOW(SKznE?%;!e{)hBlcKQ#UEUePF)M&}Lr3{NWh7j`OVE?)YJ>%Pj81_WY=UgOuG?
zX?+65as+1NERyo2mf}Eay+JLG;(2*|2}!FT34+D>pfvWt32|Se;?l~R`QXX9USnAK
za4zpEeMYjM(8rjq%xZR0?{RZ|jb6%mUVYkvVvLg#nIUr<nU@gD;&>=JsdIIRUU8m9
zGmjGAn3;Z#v`<fUV~0pyGcd+;%+MGMu+$F5vL6!CB3FzR9@}Vq6JAuH?3(>tfiE*g
zkm!)OP*^W*>#K}eS8R>j=XoUK)#u<%Foqf6n)wIlev7|nn3Y+#u?X8_wji-7XQ8&h
zKSxaF5zI56f(kQIj?rP=$B2KlWC{9=nacA%g=LrR$omZ3m7px2Pw=^d^2AChy<vIs
z%d!WL&~}OX_0q&2BBe;)m#t)Ox%=I6pZ?=e3Ckq*e1K=Z1h?|qvfes&2B@RV)ftmQ
z>EvwQNivT6{l=<3<4GKeeE#y-PGrxGb!YQPo|Y3IG4tb9GY$*oCd6#6-v`GzT4`KY
z+DyjH^^~}CIL~P~%d<#a4y|u|jP~t8W2*_TIZ|E?yjI%|XCo&RKZgJMxt8xoDVaHJ
zm**&_7}wP&!pJ!mb)|EPn2)ui7n{QrG?Y1NK7nv^w@q^<)meuAkzyN34#BCq>;;cp
zR*@gsRBP3mDS1waci9n7o*~QgY#DE-C^f{ls)QVxg?HkZ)-Nut`)Y`5)qGvcj}v)v
zhK1<IXAPyDL(nHX@i_E>`O<uqm`R9ZisDFfui|yb=_6Mza4t!nJ#yq?rlzYB;<~KQ
zDCDS&#Vcp_IoDKTHiz^4I*+EmIPasgYw;0@qbOtV{gyO*3+prQLA#L^ESx11WC>%x
zF7qHEEvKDne7Wr7i)7d`_e;B#xxQ(P3CEb2l-xKI$H6#;rXuKi3#HA(6*c0>-e#U6
zMww6Ljxg_~I2D_Fmbr!WvxI)AQ|E?peShR>mVG@ACQkd-9!hz_tL}Kk=U$w{=4>@r
zw8*@0)BNwn&F`l2o(bQo_*P%p#b@=@6eAOjU){(aMusU=Yxd4|G*UWDKXXpih(}(1
zaV#dWAxKu2aTUFqrCBYVlEQ>>-7$`Sun5#@&QEUkY-Ub24xO4y#xbj3-k)n}oP3hG
zF7rjkDqP9X?Du&T%^_TKuZG2E&9t3vCRDmAsKmLLY7{*o6(y3ItBT2M7<$Dc8AfXL
zw!#eO>gAC+1gZD<A`#0yovHH?N`6AP?g)1|a?890#&dz2n`QQsn8U<+E|iaQh<>?t
zyUxkQ^?Fg6XRbG?46pxeT3zndtTM-wO1N4t#p{HM-BEFI*=TMD(@l@_^70vuVJS~Z
zqfWbBA@P_opBv`;yx3W<lsqQnxID<A<HpU#2PcKLD9~>fO4}K0wrLk}(+qnxxDtTt
z54iGz<2<#wgFRl%Yh^Bq&jj+TnwbfO6lb_{gmn=)ivFqw&1OSNx}riT>92O{E96`O
zUEN&YPZdW<@*#Wj^+W_|+h3QRdj7!^P<XZk`@r2Wtg{a}f5b1Y*`ZWbDy|Pp*jp~o
zU90kFq9?0Igts=d<QXvIwG!)UxVq-uTt6yR(yFhi@#}F%Kikq>Tg^3<t6$I-SE&lG
zv1iX;VOM=z0*81Ob%a-#TgPWLn$|sW1(obJ;;MF@#==!q)Ki+PCVKQ8p3TD35`Mua
z`^sL9OO0MsT3vCse|Ors(O!{-l*i8^7`IM4p}0%^N9azZ(Y#Y?5zm}d$1;x_qHDO0
zi&k)R=P<g+$&L5*u`iUVd*b2GXbg)3;xyBvS&YZ)H{!R&x^{lh9}Q#D_E%my?M)fY
z<;!Sj9r0Pf2^mweacJl;RObbK)Jr3j>@$=#N<2Nq?L>Fp(vDI}d+FJfRE;>dT~H=&
zNBxndF5T*^Ya2OM>!kWWq0?}5;vRZAO<>q*Aw1h;6)$3toH|!O^I#Qc38dDJG@rCk
z*i#AC(FXHRo}jRV7f<bBPPUG{{X7e02U%nKyaqpV9jDj+{yRpd!zAGEP4sti$NJ8b
zs@Ug8XmbOrT>ptru6E@bSN4tPhWT=F^sbT=y6^ms$tq?iT`7+*HOXZ3EJykb&)?%I
z7j5il9pzG<6knU=tcxv+$E?9(cru6Xt672vF*dB8mm_D;@tlu!{PA-GoXR<q=~1f<
zA8avKPRG~qB)oAvn6mICpF*x-@*dxMs>tI`1r7U?N2I2nIh#q@nkz9`l{-zWs-2-0
z=A_(44~w<7RD{iOe-UWr_dON|wvk8^-gQHt%YlKilf^$%lwL2<Fg<?F&g4lc|D4fS
zDLv7396a?cKW!;v`a@rvxM^OZnOQSVYpHO|?P~Q(g>7+!*WV%4$%^%)uehhU8HVt5
z>9IUDoCT(?7K7knJ8`^jw#qn0%lyrFv8h^XzP0|At7oq1Gt5PxP$+NqYAD`@6jK_!
zn7&+$jW(|-Y_`_sx*-O3Mb>88YQfE=LJr0r|3h0@g!MJ|?s{RRj-1UFr=>#8cC{^~
zqE@88L#j6&`&256u``){@lOMwHWq_<^|n&T-aUW1ieqy<gBlwf>k=OWAL~?8dR)W^
z9m~HKX|wewR`K56w`-Bo^PKr8uPc7WC@Pl5?u~`37h$(`sgGm1b-HP7URUeY5hZ7_
zS}wGku2!m4)H3yVNVWecf8DH6<wNZZv%p;3I((dOZXxbjw1YHCcG>rTwKDNB?X+3$
z-H@`GR!WD9v`o%U@tNS*QE9HH^;Wq;z3B|bW?OEq8{%JARBfiMSle7G<lu53aE{};
zj>fh2I{my2EZP_9F$?=VG)K!zy54SH7ERcmYjH>p*G&65`$JtzV|zrsg}fcyB%jcT
zjdD*%Hd-n~-LAN=RMevNcS!ZBV0qoLF2Z(IX2av_Hv58y<8-bS|GC{{f%@NU`5zJ5
z?Fw)Iv?@=}*TpalR4bKeIKM|}*jkwOt@%Bitj)K!_A=~-a_#B*x*5;<;wU{7*Zf}9
zTkv}_Sy{@;>T>IES#?^z4z7ze<>ox|yG8oVI;pic$8G(e|0w<V%AUno#qb%**i#Df
z+8<lEo}Dt_N+<bmrd)ZS|KFp23?O?wxH7#Pm2a^NVhb<shTxuN*&))03iny@|Acc_
z#s6~^dOv9n!-|+q_^Uj}u#a3DCC)C8|50A`9JLL1pIZOU?t$UXm=)}B;D2BDEg&qL
Y+eNboeOKk@TYG8;g6O`Bq<p>q4=Vj}Z~y=R

literal 0
HcmV?d00001

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/002-create-admin-user.sql b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/002-create-admin-user.sql
new file mode 100644
index 000000000..08cce3f07
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/002-create-admin-user.sql
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+INSERT INTO [guacamole].[user] (username, password_hash, password_salt, password_date)
+VALUES ('guacadmin', 0xCA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960,
+0xCA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960, getdate());
+
+INSERT INTO [guacamole].[system_permission]
+SELECT user_id, permission
+FROM (
+		SELECT 'guacadmin' AS username, 'CREATE_CONNECTION' AS permission
+		UNION SELECT 'guacadmin' AS username, 'CREATE_CONNECTION_GROUP' AS permission
+		UNION SELECT 'guacadmin' AS username, 'CREATE_SHARING_PROFILE' AS permission
+		UNION SELECT 'guacadmin' AS username, 'CREATE_USER' AS permission
+		UNION SELECT 'guacadmin' AS username, 'ADMINISTER' AS permission)
+		permissions
+		JOIN [guacamole].[user] ON permissions.username = [guacamole].[user].[username];
+
+INSERT INTO [guacamole].[user_permission]
+SELECT [guacamole].[user].[user_id], [affected].[user_id], permission
+FROM (
+		SELECT 'guacadmin' AS username, 'guacadmin' AS affected_username, 'READ' AS permission
+		UNION SELECT 'guacadmin' AS username, 'guacadmin' AS affected_username, 'UPDATE' AS permission
+		UNION SELECT 'guacadmin' AS username, 'guacadmin' AS affected_username, 'ADMINISTER' AS permission)
+		permissions
+		JOIN [guacamole].[user] ON permissions.username = [guacamole].[user].[username]
+		JOIN [guacamole].[user] affected ON permissions.affected_username = affected.username;
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProvider.java
new file mode 100644
index 000000000..ef5d61d90
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProvider.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sqlserver;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.jdbc.InjectedAuthenticationProvider;
+import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderService;
+
+/**
+ * Provides a SQLServer-based implementation of the AuthenticationProvider
+ * functionality.
+ */
+public class SQLServerAuthenticationProvider extends InjectedAuthenticationProvider {
+
+    /**
+     * Creates a new SQLServerAuthenticationProvider that reads and writes
+     * authentication data to a SQLServer database defined by properties in
+     * guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If a required property is missing, or an error occurs while parsing
+     *     a property.
+     */
+    public SQLServerAuthenticationProvider() throws GuacamoleException {
+        super(new SQLServerInjectorProvider(), JDBCAuthenticationProviderService.class);
+    }
+
+    @Override
+    public String getIdentifier() {
+        return "sqlserver";
+    }
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProviderModule.java
new file mode 100644
index 000000000..ebb1a0678
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProviderModule.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sqlserver;
+
+import com.google.inject.Binder;
+import com.google.inject.Module;
+import com.google.inject.name.Names;
+import java.util.Properties;
+import org.apache.guacamole.GuacamoleException;
+import org.mybatis.guice.datasource.helper.JdbcHelper;
+
+/**
+ * Guice module which configures SQLServer-specific injections.
+ */
+public class SQLServerAuthenticationProviderModule implements Module {
+
+    /**
+     * MyBatis-specific configuration properties.
+     */
+    private final Properties myBatisProperties = new Properties();
+
+    /**
+     * SQLServer-specific driver configuration properties.
+     */
+    private final Properties driverProperties = new Properties();
+    
+    /**
+     * Creates a new SQLServer authentication provider module that configures
+     * driver and MyBatis properties using the given environment.
+     *
+     * @param environment
+     *     The environment to use when configuring MyBatis and the underlying
+     *     JDBC driver.
+     *
+     * @throws GuacamoleException
+     *     If a required property is missing, or an error occurs while parsing
+     *     a property.
+     */
+    public SQLServerAuthenticationProviderModule(SQLServerEnvironment environment)
+            throws GuacamoleException {
+
+        // Set the SQLServer-specific properties for MyBatis.
+        myBatisProperties.setProperty("mybatis.environment.id", "guacamole");
+        myBatisProperties.setProperty("JDBC.host", environment.getSQLServerHostname());
+        myBatisProperties.setProperty("JDBC.port", String.valueOf(environment.getSQLServerPort()));
+        myBatisProperties.setProperty("JDBC.schema", environment.getSQLServerDatabase());
+        myBatisProperties.setProperty("JDBC.username", environment.getSQLServerUsername());
+        myBatisProperties.setProperty("JDBC.password", environment.getSQLServerPassword());
+        myBatisProperties.setProperty("JDBC.autoCommit", "false");
+        myBatisProperties.setProperty("mybatis.pooled.pingEnabled", "true");
+        myBatisProperties.setProperty("mybatis.pooled.pingQuery", "SELECT 1");
+
+        // Use UTF-8 in database
+        driverProperties.setProperty("characterEncoding", "UTF-8");
+
+    }
+
+    @Override
+    public void configure(Binder binder) {
+
+        // Bind SQLServer-specific properties
+        JdbcHelper.SQL_Server_2005_MS_Driver.configure(binder);
+        
+        // Bind MyBatis properties
+        Names.bindProperties(binder, myBatisProperties);
+
+        // Bind JDBC driver properties
+        binder.bind(Properties.class)
+            .annotatedWith(Names.named("JDBC.driverProperties"))
+            .toInstance(driverProperties);
+
+    }
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerEnvironment.java
new file mode 100644
index 000000000..67d882719
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerEnvironment.java
@@ -0,0 +1,306 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sqlserver;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.guacamole.auth.jdbc.security.PasswordPolicy;
+
+/**
+ * A SQLServer-specific implementation of JDBCEnvironment provides database
+ * properties specifically for SQLServer.
+ */
+public class SQLServerEnvironment extends JDBCEnvironment {
+
+    /**
+     * Logger for this class.
+     */
+    private static final Logger logger = LoggerFactory.getLogger(SQLServerEnvironment.class);
+
+    /**
+     * The default host to connect to, if SQLSERVER_HOSTNAME is not specified.
+     */
+    private static final String DEFAULT_HOSTNAME = "localhost";
+
+    /**
+     * The default port to connect to, if SQLSERVER_PORT is not specified.
+     */
+    private static final int DEFAULT_PORT = 1433;
+
+    /**
+     * Whether a database user account is required by default for authentication
+     * to succeed.
+     */
+    private static final boolean DEFAULT_USER_REQUIRED = true;
+
+    /**
+     * The default value for the maximum number of connections to be
+     * allowed to the Guacamole server overall.
+     */
+    private final int DEFAULT_ABSOLUTE_MAX_CONNECTIONS = 0;
+
+    /**
+     * The default value for the default maximum number of connections to be
+     * allowed per user to any one connection. Note that, as long as the
+     * legacy "disallow duplicate" and "disallow simultaneous" properties are
+     * still supported, these cannot be constants, as the legacy properties
+     * dictate the values that should be used in the absence of the correct
+     * properties.
+     */
+    private int DEFAULT_MAX_CONNECTIONS_PER_USER = 1;
+
+    /**
+     * The default value for the default maximum number of connections to be
+     * allowed per user to any one connection group. Note that, as long as the
+     * legacy "disallow duplicate" and "disallow simultaneous" properties are
+     * still supported, these cannot be constants, as the legacy properties
+     * dictate the values that should be used in the absence of the correct
+     * properties.
+     */
+    private int DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER = 1;
+
+    /**
+     * The default value for the default maximum number of connections to be
+     * allowed to any one connection. Note that, as long as the legacy
+     * "disallow duplicate" and "disallow simultaneous" properties are still
+     * supported, these cannot be constants, as the legacy properties dictate
+     * the values that should be used in the absence of the correct properties.
+     */
+    private int DEFAULT_MAX_CONNECTIONS = 0;
+
+    /**
+     * The default value for the default maximum number of connections to be
+     * allowed to any one connection group. Note that, as long as the legacy
+     * "disallow duplicate" and "disallow simultaneous" properties are still
+     * supported, these cannot be constants, as the legacy properties dictate
+     * the values that should be used in the absence of the correct properties.
+     */
+    private int DEFAULT_MAX_GROUP_CONNECTIONS = 0;
+
+    /**
+     * Constructs a new SQLServerEnvironment, providing access to SQLServer-specific
+     * configuration options.
+     * 
+     * @throws GuacamoleException 
+     *     If an error occurs while setting up the underlying JDBCEnvironment
+     *     or while parsing legacy SQLServer configuration options.
+     */
+    public SQLServerEnvironment() throws GuacamoleException {
+
+        // Init underlying JDBC environment
+        super();
+
+        // Read legacy concurrency-related property
+        Boolean disallowSimultaneous = getProperty(SQLServerGuacamoleProperties.SQLSERVER_DISALLOW_SIMULTANEOUS_CONNECTIONS);
+        Boolean disallowDuplicate    = getProperty(SQLServerGuacamoleProperties.SQLSERVER_DISALLOW_DUPLICATE_CONNECTIONS);
+
+        // Legacy "simultaneous" property dictates only the maximum number of
+        // connections per connection
+        if (disallowSimultaneous != null) {
+
+            // Translate legacy property
+            if (disallowSimultaneous) {
+                DEFAULT_MAX_CONNECTIONS       = 1;
+                DEFAULT_MAX_GROUP_CONNECTIONS = 0;
+            }
+            else {
+                DEFAULT_MAX_CONNECTIONS       = 0;
+                DEFAULT_MAX_GROUP_CONNECTIONS = 0;
+            }
+
+            // Warn of deprecation
+            logger.warn("The \"{}\" property is deprecated. Use \"{}\" and \"{}\" instead.",
+                    SQLServerGuacamoleProperties.SQLSERVER_DISALLOW_SIMULTANEOUS_CONNECTIONS.getName(),
+                    SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_CONNECTIONS.getName(),
+                    SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS.getName());
+
+            // Inform of new equivalent
+            logger.info("To achieve the same result of setting \"{}\" to \"{}\", set \"{}\" to \"{}\" and \"{}\" to \"{}\".",
+                    SQLServerGuacamoleProperties.SQLSERVER_DISALLOW_SIMULTANEOUS_CONNECTIONS.getName(), disallowSimultaneous,
+                    SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_CONNECTIONS.getName(),           DEFAULT_MAX_CONNECTIONS,
+                    SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS.getName(),     DEFAULT_MAX_GROUP_CONNECTIONS);
+
+        }
+
+        // Legacy "duplicate" property dictates whether connections and groups
+        // may be used concurrently only by different users
+        if (disallowDuplicate != null) {
+
+            // Translate legacy property
+            if (disallowDuplicate) {
+                DEFAULT_MAX_CONNECTIONS_PER_USER       = 1;
+                DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER = 1;
+            }
+            else {
+                DEFAULT_MAX_CONNECTIONS_PER_USER       = 0;
+                DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER = 0;
+            }
+
+            // Warn of deprecation
+            logger.warn("The \"{}\" property is deprecated. Use \"{}\" and \"{}\" instead.",
+                    SQLServerGuacamoleProperties.SQLSERVER_DISALLOW_DUPLICATE_CONNECTIONS.getName(),
+                    SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER.getName(),
+                    SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS.getName());
+
+            // Inform of new equivalent
+            logger.info("To achieve the same result of setting \"{}\" to \"{}\", set \"{}\" to \"{}\" and \"{}\" to \"{}\".",
+                    SQLServerGuacamoleProperties.SQLSERVER_DISALLOW_DUPLICATE_CONNECTIONS.getName(),         disallowDuplicate,
+                    SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER.getName(),       DEFAULT_MAX_CONNECTIONS_PER_USER,
+                    SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER.getName(), DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER);
+
+        }
+
+    }
+
+    @Override
+    public boolean isUserRequired() throws GuacamoleException {
+        return getProperty(
+            SQLServerGuacamoleProperties.SQLSERVER_USER_REQUIRED,
+            DEFAULT_USER_REQUIRED
+        );
+    }
+
+    @Override
+    public int getAbsoluteMaxConnections() throws GuacamoleException {
+        return getProperty(SQLServerGuacamoleProperties.SQLSERVER_ABSOLUTE_MAX_CONNECTIONS,
+            DEFAULT_ABSOLUTE_MAX_CONNECTIONS
+        );
+    }
+
+    @Override
+    public int getDefaultMaxConnections() throws GuacamoleException {
+        return getProperty(
+            SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_CONNECTIONS,
+            DEFAULT_MAX_CONNECTIONS
+        );
+    }
+
+    @Override
+    public int getDefaultMaxGroupConnections() throws GuacamoleException {
+        return getProperty(
+            SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS,
+            DEFAULT_MAX_GROUP_CONNECTIONS
+        );
+    }
+
+    @Override
+    public int getDefaultMaxConnectionsPerUser() throws GuacamoleException {
+        return getProperty(
+            SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER,
+            DEFAULT_MAX_CONNECTIONS_PER_USER
+        );
+    }
+
+    @Override
+    public int getDefaultMaxGroupConnectionsPerUser() throws GuacamoleException {
+        return getProperty(
+            SQLServerGuacamoleProperties.SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER,
+            DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER
+        );
+    }
+
+    @Override
+    public PasswordPolicy getPasswordPolicy() {
+        return new SQLServerPasswordPolicy(this);
+    }
+
+    /**
+     * Returns the hostname of the SQLServer server hosting the Guacamole
+     * authentication tables. If unspecified, this will be "localhost".
+     * 
+     * @return
+     *     The URL of the SQLServer server.
+     *
+     * @throws GuacamoleException 
+     *     If an error occurs while retrieving the property value.
+     */
+    public String getSQLServerHostname() throws GuacamoleException {
+        return getProperty(
+            SQLServerGuacamoleProperties.SQLSERVER_HOSTNAME,
+            DEFAULT_HOSTNAME
+        );
+    }
+    
+    /**
+     * Returns the port number of the SQLServer server hosting the Guacamole
+     * authentication tables. If unspecified, this will be the default
+     * SQLServer port of 5432.
+     * 
+     * @return
+     *     The port number of the SQLServer server.
+     *
+     * @throws GuacamoleException 
+     *     If an error occurs while retrieving the property value.
+     */
+    public int getSQLServerPort() throws GuacamoleException {
+        return getProperty(
+            SQLServerGuacamoleProperties.SQLSERVER_PORT,
+            DEFAULT_PORT
+        );
+    }
+    
+    /**
+     * Returns the name of the SQLServer database containing the Guacamole
+     * authentication tables.
+     * 
+     * @return
+     *     The name of the SQLServer database.
+     *
+     * @throws GuacamoleException 
+     *     If an error occurs while retrieving the property value, or if the
+     *     value was not set, as this property is required.
+     */
+    public String getSQLServerDatabase() throws GuacamoleException {
+        return getRequiredProperty(SQLServerGuacamoleProperties.SQLSERVER_DATABASE);
+    }
+    
+    /**
+     * Returns the username that should be used when authenticating with the
+     * SQLServer database containing the Guacamole authentication tables.
+     * 
+     * @return
+     *     The username for the SQLServer database.
+     *
+     * @throws GuacamoleException 
+     *     If an error occurs while retrieving the property value, or if the
+     *     value was not set, as this property is required.
+     */
+    public String getSQLServerUsername() throws GuacamoleException {
+        return getRequiredProperty(SQLServerGuacamoleProperties.SQLSERVER_USERNAME);
+    }
+    
+    /**
+     * Returns the password that should be used when authenticating with the
+     * SQLServer database containing the Guacamole authentication tables.
+     * 
+     * @return
+     *     The password for the SQLServer database.
+     *
+     * @throws GuacamoleException 
+     *     If an error occurs while retrieving the property value, or if the
+     *     value was not set, as this property is required.
+     */
+    public String getSQLServerPassword() throws GuacamoleException {
+        return getRequiredProperty(SQLServerGuacamoleProperties.SQLSERVER_PASSWORD);
+    }
+    
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerGuacamoleProperties.java
new file mode 100644
index 000000000..e45f50268
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerGuacamoleProperties.java
@@ -0,0 +1,200 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sqlserver;
+
+import org.apache.guacamole.properties.BooleanGuacamoleProperty;
+import org.apache.guacamole.properties.IntegerGuacamoleProperty;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
+
+/**
+ * Properties used by the SQLServer Authentication plugin.
+ */
+public class SQLServerGuacamoleProperties {
+
+    /**
+     * This class should not be instantiated.
+     */
+    private SQLServerGuacamoleProperties() {}
+
+    /**
+     * The URL of the SQLServer server hosting the Guacamole authentication tables.
+     */
+    public static final StringGuacamoleProperty SQLSERVER_HOSTNAME =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-hostname"; }
+
+    };
+
+    /**
+     * The port of the SQLServer server hosting the Guacamole authentication
+     * tables.
+     */
+    public static final IntegerGuacamoleProperty SQLSERVER_PORT =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-port"; }
+
+    };
+
+    /**
+     * The name of the SQLServer database containing the Guacamole
+     * authentication tables.
+     */
+    public static final StringGuacamoleProperty SQLSERVER_DATABASE =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-database"; }
+
+    };
+
+    /**
+     * The username used to authenticate to the SQLServer database containing
+     * the Guacamole authentication tables.
+     */
+    public static final StringGuacamoleProperty SQLSERVER_USERNAME =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-username"; }
+
+    };
+
+    /**
+     * The password used to authenticate to the SQLServer database containing
+     * the Guacamole authentication tables.
+     */
+    public static final StringGuacamoleProperty SQLSERVER_PASSWORD =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-password"; }
+
+    };
+
+    /**
+     * Whether a user account within the database is required for authentication
+     * to succeed, even if the user has been authenticated via another
+     * authentication provider.
+     */
+    public static final BooleanGuacamoleProperty
+            SQLSERVER_USER_REQUIRED = new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-required"; }
+
+    };
+
+    /**
+     * Whether or not multiple users accessing the same connection at the same
+     * time should be disallowed.
+     */
+    public static final BooleanGuacamoleProperty
+            SQLSERVER_DISALLOW_SIMULTANEOUS_CONNECTIONS =
+            new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-disallow-simultaneous-connections"; }
+
+    };
+
+    /**
+     * Whether or not the same user accessing the same connection or connection
+     * group at the same time should be disallowed.
+     */
+    public static final BooleanGuacamoleProperty
+            SQLSERVER_DISALLOW_DUPLICATE_CONNECTIONS =
+            new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-disallow-duplicate-connections"; }
+
+    };
+
+    /**
+     * The maximum number of concurrent connections to allow overall. Zero
+     * denotes unlimited.
+     */
+    public static final IntegerGuacamoleProperty
+            SQLSERVER_ABSOLUTE_MAX_CONNECTIONS =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-absolute-max-connections"; }
+
+    };
+
+    /**
+     * The maximum number of concurrent connections to allow to any one
+     * connection. Zero denotes unlimited.
+     */
+    public static final IntegerGuacamoleProperty
+            SQLSERVER_DEFAULT_MAX_CONNECTIONS =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-default-max-connections"; }
+
+    };
+
+    /**
+     * The maximum number of concurrent connections to allow to any one
+     * connection group. Zero denotes unlimited.
+     */
+    public static final IntegerGuacamoleProperty
+            SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-default-max-group-connections"; }
+
+    };
+
+    /**
+     * The maximum number of concurrent connections to allow to any one
+     * connection by an individual user. Zero denotes unlimited.
+     */
+    public static final IntegerGuacamoleProperty
+            SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-default-max-connections-per-user"; }
+
+    };
+
+    /**
+     * The maximum number of concurrent connections to allow to any one
+     * connection group by an individual user. Zero denotes
+     * unlimited.
+     */
+    public static final IntegerGuacamoleProperty
+            SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-default-max-group-connections-per-user"; }
+
+    };
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerInjectorProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerInjectorProvider.java
new file mode 100644
index 000000000..32d12f6e2
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerInjectorProvider.java
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sqlserver;
+
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderModule;
+import org.apache.guacamole.auth.jdbc.JDBCInjectorProvider;
+
+/**
+ * JDBCInjectorProvider implementation which configures Guice injections for
+ * connecting to a SQLServer database based on SQLServer-specific options
+ * provided via guacamole.properties.
+ */
+public class SQLServerInjectorProvider extends JDBCInjectorProvider {
+
+    @Override
+    protected Injector create() throws GuacamoleException {
+
+        // Get local environment
+        SQLServerEnvironment environment = new SQLServerEnvironment();
+
+        // Set up Guice injector
+        return Guice.createInjector(
+            new JDBCAuthenticationProviderModule(environment),
+            new SQLServerAuthenticationProviderModule(environment)
+        );
+
+    }
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerPasswordPolicy.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerPasswordPolicy.java
new file mode 100644
index 000000000..f30b180bb
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerPasswordPolicy.java
@@ -0,0 +1,194 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sqlserver;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
+import org.apache.guacamole.auth.jdbc.security.PasswordPolicy;
+import org.apache.guacamole.properties.BooleanGuacamoleProperty;
+import org.apache.guacamole.properties.IntegerGuacamoleProperty;
+
+/**
+ * PasswordPolicy implementation which reads the details of the policy from
+ * SQLServer-specific properties in guacamole.properties.
+ */
+public class SQLServerPasswordPolicy implements PasswordPolicy {
+
+    /**
+     * The property which specifies the minimum length required of all user
+     * passwords. By default, this will be zero.
+     */
+    private static final IntegerGuacamoleProperty MIN_LENGTH =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-password-min-length"; }
+
+    };
+
+    /**
+     * The property which specifies the minimum number of days which must
+     * elapse before a user may reset their password. If set to zero, the
+     * default, then this restriction does not apply.
+     */
+    private static final IntegerGuacamoleProperty MIN_AGE =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-password-min-age"; }
+
+    };
+
+    /**
+     * The property which specifies the maximum number of days which may
+     * elapse before a user is required to reset their password. If set to zero,
+     * the default, then this restriction does not apply.
+     */
+    private static final IntegerGuacamoleProperty MAX_AGE =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-password-max-age"; }
+
+    };
+
+    /**
+     * The property which specifies the number of previous passwords remembered
+     * for each user. If set to zero, the default, then this restriction does
+     * not apply.
+     */
+    private static final IntegerGuacamoleProperty HISTORY_SIZE =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-password-history-size"; }
+
+    };
+
+    /**
+     * The property which specifies whether all user passwords must have at
+     * least one lowercase character and one uppercase character. By default,
+     * no such restriction is imposed.
+     */
+    private static final BooleanGuacamoleProperty REQUIRE_MULTIPLE_CASE =
+            new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-password-require-multiple-case"; }
+
+    };
+
+    /**
+     * The property which specifies whether all user passwords must have at
+     * least one numeric character (digit). By default, no such restriction is
+     * imposed.
+     */
+    private static final BooleanGuacamoleProperty REQUIRE_DIGIT =
+            new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-password-require-digit"; }
+
+    };
+
+    /**
+     * The property which specifies whether all user passwords must have at
+     * least one non-alphanumeric character (symbol). By default, no such
+     * restriction is imposed.
+     */
+    private static final BooleanGuacamoleProperty REQUIRE_SYMBOL =
+            new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-password-require-symbol"; }
+
+    };
+
+    /**
+     * The property which specifies whether users are prohibited from including
+     * their own username in their password. By default, no such restriction is
+     * imposed.
+     */
+    private static final BooleanGuacamoleProperty PROHIBIT_USERNAME =
+            new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "sqlserver-user-password-prohibit-username"; }
+
+    };
+
+    /**
+     * The Guacamole server environment.
+     */
+    private final JDBCEnvironment environment;
+
+    /**
+     * Creates a new SQLServerPasswordPolicy which reads the details of the
+     * policy from the properties exposed by the given environment.
+     *
+     * @param environment
+     *     The environment from which password policy properties should be
+     *     read.
+     */
+    public SQLServerPasswordPolicy(JDBCEnvironment environment) {
+        this.environment = environment;
+    }
+
+    @Override
+    public int getMinimumLength() throws GuacamoleException {
+        return environment.getProperty(MIN_LENGTH, 0);
+    }
+
+    @Override
+    public int getMinimumAge() throws GuacamoleException {
+        return environment.getProperty(MIN_AGE, 0);
+    }
+
+    @Override
+    public int getMaximumAge() throws GuacamoleException {
+        return environment.getProperty(MAX_AGE, 0);
+    }
+
+    @Override
+    public int getHistorySize() throws GuacamoleException {
+        return environment.getProperty(HISTORY_SIZE, 0);
+    }
+
+    @Override
+    public boolean isMultipleCaseRequired() throws GuacamoleException {
+        return environment.getProperty(REQUIRE_MULTIPLE_CASE, false);
+    }
+
+    @Override
+    public boolean isNumericRequired() throws GuacamoleException {
+        return environment.getProperty(REQUIRE_DIGIT, false);
+    }
+
+    @Override
+    public boolean isNonAlphanumericRequired() throws GuacamoleException {
+        return environment.getProperty(REQUIRE_SYMBOL, false);
+    }
+
+    @Override
+    public boolean isUsernameProhibited() throws GuacamoleException {
+        return environment.getProperty(PROHIBIT_USERNAME, false);
+    }
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerSharedAuthenticationProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerSharedAuthenticationProvider.java
new file mode 100644
index 000000000..0a3c8d31f
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerSharedAuthenticationProvider.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sqlserver;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.jdbc.InjectedAuthenticationProvider;
+import org.apache.guacamole.auth.jdbc.sharing.SharedAuthenticationProviderService;
+
+/**
+ * Provides a implementation of AuthenticationProvider which interacts with the
+ * SQLServer AuthenticationProvider, accepting share keys as credentials and
+ * providing access to the shared connections.
+ */
+public class SQLServerSharedAuthenticationProvider extends InjectedAuthenticationProvider {
+
+    /**
+     * Creates a new SQLServerSharedAuthenticationProvider that provides access
+     * to shared connections exposed by the SQLServerAuthenticationProvider.
+     *
+     * @throws GuacamoleException
+     *     If a required property is missing, or an error occurs while parsing
+     *     a property.
+     */
+    public SQLServerSharedAuthenticationProvider() throws GuacamoleException {
+        super(new SQLServerInjectorProvider(), SharedAuthenticationProviderService.class);
+    }
+
+    @Override
+    public String getIdentifier() {
+        return "sqlserver-shared";
+    }
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/package-info.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/package-info.java
new file mode 100644
index 000000000..7bbe1b2e3
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/package-info.java
@@ -0,0 +1,23 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * The SQLServer authentication provider.
+ */
+package org.apache.guacamole.auth.sqlserver;
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/guac-manifest.json b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/guac-manifest.json
new file mode 100644
index 000000000..ee61ab578
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/guac-manifest.json
@@ -0,0 +1,28 @@
+{
+
+    "guacamoleVersion" : "0.9.13-incubating",
+
+    "name"      : "SQLServer Authentication",
+    "namespace" : "guac-sqlserver",
+
+    "authProviders" : [
+        "org.apache.guacamole.auth.sqlserver.SQLServerAuthenticationProvider",
+        "org.apache.guacamole.auth.sqlserver.SQLServerSharedAuthenticationProvider"
+    ],
+
+    "css" : [
+        "styles/jdbc.css"
+    ],
+
+    "html" : [
+        "html/shared-connection.html"
+    ],
+
+    "translations" : [
+        "translations/en.json",
+        "translations/fr.json",
+        "translations/ru.json"
+    ]
+
+}
+
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
new file mode 100644
index 000000000..24008fcc4
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
@@ -0,0 +1,235 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.connection.ConnectionMapper" >
+
+    <!-- Result mapper for connection objects -->
+    <resultMap id="ConnectionResultMap" type="org.apache.guacamole.auth.jdbc.connection.ConnectionModel" >
+
+        <!-- Connection properties -->
+        <id     column="connection_id"            property="objectID"              jdbcType="INTEGER"/>
+        <result column="connection_name"          property="name"                  jdbcType="VARCHAR"/>
+        <result column="parent_id"                property="parentIdentifier"      jdbcType="INTEGER"/>
+        <result column="protocol"                 property="protocol"              jdbcType="VARCHAR"/>
+        <result column="max_connections"          property="maxConnections"        jdbcType="INTEGER"/>
+        <result column="max_connections_per_user" property="maxConnectionsPerUser" jdbcType="INTEGER"/>
+        <result column="proxy_hostname"           property="proxyHostname"         jdbcType="VARCHAR"/>
+        <result column="proxy_port"               property="proxyPort"             jdbcType="INTEGER"/>
+        <result column="proxy_encryption_method"  property="proxyEncryptionMethod" jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.GuacamoleProxyConfiguration$EncryptionMethod"/>
+        <result column="connection_weight"        property="connectionWeight"      jdbcType="INTEGER"/>
+        <result column="failover_only"            property="failoverOnly"          jdbcType="BOOLEAN"/>
+
+        <!-- Associated sharing profiles -->
+        <collection property="sharingProfileIdentifiers" resultSet="sharingProfiles" ofType="java.lang.String"
+                    column="connection_id" foreignColumn="primary_connection_id">
+            <result column="sharing_profile_id"/>
+        </collection>
+
+    </resultMap>
+
+    <!-- Select all connection identifiers -->
+    <select id="selectIdentifiers" resultType="string">
+        SELECT connection_id 
+        FROM [guacamole].[connection]
+    </select>
+
+    <!-- Select identifiers of all readable connections -->
+    <select id="selectReadableIdentifiers" resultType="string">
+        SELECT connection_id
+        FROM [guacamole].[connection_permission]
+        WHERE
+            user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ'
+    </select>
+
+    <!-- Select all connection identifiers within a particular connection group -->
+    <select id="selectIdentifiersWithin" resultType="string">
+        SELECT connection_id 
+        FROM [guacamole].[connection]
+        WHERE
+            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
+            <if test="parentIdentifier == null">parent_id IS NULL</if>
+    </select>
+
+    <!-- Select identifiers of all readable connections within a particular connection group -->
+    <select id="selectReadableIdentifiersWithin" resultType="string">
+        SELECT [guacamole].[connection].connection_id
+        FROM [guacamole].[connection]
+        JOIN [guacamole].[connection_permission] ON [guacamole].[connection_permission].connection_id = [guacamole].[connection].connection_id
+        WHERE
+            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
+            <if test="parentIdentifier == null">parent_id IS NULL</if>
+            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ'
+    </select>
+
+    <!-- Select multiple connections by identifier -->
+    <select id="select" resultMap="ConnectionResultMap"
+            resultSets="connections,sharingProfiles">
+
+        SELECT
+            connection_id,
+            connection_name,
+            parent_id,
+            protocol,
+            max_connections,
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method,
+            connection_weight,
+            failover_only
+        FROM [guacamole].[connection]
+        WHERE connection_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>;
+
+        SELECT primary_connection_id, sharing_profile_id
+        FROM [guacamole].[sharing_profile]
+        WHERE primary_connection_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>;
+
+    </select>
+
+    <!-- Select multiple connections by identifier only if readable -->
+    <select id="selectReadable" resultMap="ConnectionResultMap"
+            resultSets="connections,sharingProfiles">
+
+        SELECT
+            [guacamole].[connection].connection_id,
+            connection_name,
+            parent_id,
+            protocol,
+            max_connections,
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method,
+            connection_weight,
+            failover_only
+        FROM [guacamole].[connection]
+        JOIN [guacamole].[connection_permission] ON [guacamole].[connection_permission].connection_id = [guacamole].[connection].connection_id
+        WHERE [guacamole].[connection].connection_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>
+            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ';
+
+        SELECT primary_connection_id, [guacamole].[sharing_profile].sharing_profile_id
+        FROM [guacamole].[sharing_profile]
+        JOIN [guacamole].[sharing_profile_permission] ON [guacamole].[sharing_profile_permission].sharing_profile_id = [guacamole].[sharing_profile].sharing_profile_id
+        WHERE primary_connection_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>
+            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ';
+
+    </select>
+
+    <!-- Select single connection by name -->
+    <select id="selectOneByName" resultMap="ConnectionResultMap">
+
+        SELECT
+            connection_id,
+            connection_name,
+            parent_id,
+            protocol,
+            max_connections,
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method,
+            connection_weight,
+            failover_only
+        FROM [guacamole].[connection]
+        WHERE 
+            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
+            <if test="parentIdentifier == null">parent_id IS NULL</if>
+            AND connection_name = #{name,jdbcType=VARCHAR}
+
+    </select>
+
+    <!-- Delete single connection by identifier -->
+    <delete id="delete">
+        DELETE FROM [guacamole].[connection]
+        WHERE connection_id = #{identifier,jdbcType=INTEGER}
+    </delete>
+
+    <!-- Insert single connection -->
+    <insert id="insert" useGeneratedKeys="true" keyProperty="object.objectID"
+            parameterType="org.apache.guacamole.auth.jdbc.connection.ConnectionModel">
+
+        INSERT INTO [guacamole].[connection] (
+            connection_name,
+            parent_id,
+            protocol,
+            max_connections,
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method,
+            connection_weight,
+            failover_only
+        )
+        VALUES (
+            #{object.name,jdbcType=VARCHAR},
+            #{object.parentIdentifier,jdbcType=INTEGER},
+            #{object.protocol,jdbcType=VARCHAR},
+            #{object.maxConnections,jdbcType=INTEGER},
+            #{object.maxConnectionsPerUser,jdbcType=INTEGER},
+            #{object.proxyHostname,jdbcType=VARCHAR},
+            #{object.proxyPort,jdbcType=INTEGER},
+            #{object.proxyEncryptionMethod,jdbcType=VARCHAR},
+            #{object.connectionWeight,jdbcType=INTEGER},
+            #{object.failoverOnly,jdbcType=INTEGER}
+        )
+
+    </insert>
+
+    <!-- Update single connection -->
+    <update id="update" parameterType="org.apache.guacamole.auth.jdbc.connection.ConnectionModel">
+        UPDATE [guacamole].[connection]
+        SET connection_name          = #{object.name,jdbcType=VARCHAR},
+            parent_id                = #{object.parentIdentifier,jdbcType=INTEGER},
+            protocol                 = #{object.protocol,jdbcType=VARCHAR},
+            max_connections          = #{object.maxConnections,jdbcType=INTEGER},
+            max_connections_per_user = #{object.maxConnectionsPerUser,jdbcType=INTEGER},
+            proxy_hostname           = #{object.proxyHostname,jdbcType=VARCHAR},
+            proxy_port               = #{object.proxyPort,jdbcType=INTEGER},
+            proxy_encryption_method  = #{object.proxyEncryptionMethod,jdbcType=VARCHAR},
+            connection_weight        = #{object.connectionWeight,jdbcType=INTEGER},
+            failover_only            = #{object.failoverOnly,jdbcType=INTEGER}
+        WHERE connection_id = #{object.objectID,jdbcType=INTEGER}
+    </update>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterMapper.xml
new file mode 100644
index 000000000..de1ab97c1
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterMapper.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.connection.ConnectionParameterMapper">
+
+    <!-- Result mapper for connection parameters -->
+    <resultMap id="ParameterResultMap" type="org.apache.guacamole.auth.jdbc.connection.ConnectionParameterModel">
+        <result column="connection_id"   property="connectionIdentifier" jdbcType="INTEGER"/>
+        <result column="parameter_name"  property="name"                 jdbcType="VARCHAR"/>
+        <result column="parameter_value" property="value"                jdbcType="VARCHAR"/>
+    </resultMap>
+
+    <!-- Select all parameters of a given connection -->
+    <select id="select" resultMap="ParameterResultMap">
+        SELECT
+            connection_id,
+            parameter_name,
+            parameter_value
+        FROM [guacamole].[connection_parameter]
+        WHERE
+            connection_id = #{identifier,jdbcType=INTEGER}
+    </select>
+
+    <!-- Delete all parameters of a given connection -->
+    <delete id="delete">
+        DELETE FROM [guacamole].[connection_parameter]
+        WHERE connection_id = #{identifier,jdbcType=INTEGER}
+    </delete>
+
+    <!-- Insert all given parameters -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.connection.ConnectionParameterModel">
+
+        INSERT INTO [guacamole].[connection_parameter] (
+            connection_id,
+            parameter_name,
+            parameter_value
+        )
+        VALUES 
+            <foreach collection="parameters" item="parameter" separator=",">
+                (#{parameter.connectionIdentifier,jdbcType=INTEGER},
+                 #{parameter.name,jdbcType=VARCHAR},
+                 #{parameter.value,jdbcType=VARCHAR})
+            </foreach>
+
+    </insert>
+
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml
new file mode 100644
index 000000000..ec077db7f
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml
@@ -0,0 +1,216 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.connection.ConnectionRecordMapper" >
+
+    <!-- Result mapper for system permissions -->
+    <resultMap id="ConnectionRecordResultMap" type="org.apache.guacamole.auth.jdbc.connection.ConnectionRecordModel">
+        <result column="connection_id"        property="connectionIdentifier"     jdbcType="INTEGER"/>
+        <result column="connection_name"      property="connectionName"           jdbcType="VARCHAR"/>
+        <result column="remote_host"          property="remoteHost"               jdbcType="VARCHAR"/>
+        <result column="sharing_profile_id"   property="sharingProfileIdentifier" jdbcType="INTEGER"/>
+        <result column="sharing_profile_name" property="sharingProfileName"       jdbcType="VARCHAR"/>
+        <result column="user_id"              property="userID"                   jdbcType="INTEGER"/>
+        <result column="username"             property="username"                 jdbcType="VARCHAR"/>
+        <result column="start_date"           property="startDate"                jdbcType="TIMESTAMP"/>
+        <result column="end_date"             property="endDate"                  jdbcType="TIMESTAMP"/>
+    </resultMap>
+
+    <!-- Select all connection records from a given connection -->
+    <select id="select" resultMap="ConnectionRecordResultMap">
+
+        SELECT
+            [guacamole].[connection_history].connection_id,
+            [guacamole].[connection_history].connection_name,
+            [guacamole].[connection_history].remote_host,
+            [guacamole].[connection_history].sharing_profile_id,
+            [guacamole].[connection_history].sharing_profile_name,
+            [guacamole].[connection_history].user_id,
+            [guacamole].[connection_history].username,
+            [guacamole].[connection_history].start_date,
+            [guacamole].[connection_history].end_date
+        FROM [guacamole].[connection_history]
+        WHERE
+            [guacamole].[connection_history].connection_id = #{identifier,jdbcType=INTEGER}
+        ORDER BY
+            [guacamole].[connection_history].start_date DESC,
+            [guacamole].[connection_history].end_date DESC
+
+    </select>
+
+    <!-- Insert the given connection record -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.connection.ConnectionRecordModel">
+
+        INSERT INTO [guacamole].[connection_history] (
+            connection_id,
+            connection_name,
+            remote_host,
+            sharing_profile_id,
+            sharing_profile_name,
+            user_id,
+            username,
+            start_date,
+            end_date
+        )
+        VALUES (
+            #{record.connectionIdentifier,jdbcType=INTEGER},
+            #{record.connectionName,jdbcType=VARCHAR},
+            #{record.remoteHost,jdbcType=VARCHAR},
+            #{record.sharingProfileIdentifier,jdbcType=INTEGER},
+            #{record.sharingProfileName,jdbcType=VARCHAR},
+            (SELECT user_id FROM [guacamole].[user]
+             WHERE username = #{record.username,jdbcType=VARCHAR}),
+            #{record.username,jdbcType=VARCHAR},
+            #{record.startDate,jdbcType=TIMESTAMP},
+            #{record.endDate,jdbcType=TIMESTAMP}
+        )
+
+    </insert>
+
+    <!-- Search for specific connection records -->
+    <select id="search" resultMap="ConnectionRecordResultMap">
+
+        SELECT
+            [guacamole].[connection_history].connection_id,
+            [guacamole].[connection_history].connection_name,
+            [guacamole].[connection_history].remote_host,
+            [guacamole].[connection_history].sharing_profile_id,
+            [guacamole].[connection_history].sharing_profile_name,
+            [guacamole].[connection_history].user_id,
+            [guacamole].[connection_history].username,
+            [guacamole].[connection_history].start_date,
+            [guacamole].[connection_history].end_date
+        FROM [guacamole].[connection_history]
+
+        <!-- Search terms -->
+        <foreach collection="terms" item="term"
+                 open="WHERE " separator=" AND ">
+            (
+
+                [guacamole].[connection_history].user_id IN (
+                    SELECT user_id
+                    FROM [guacamole].[user]
+                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN username) > 0
+                )
+
+                OR [guacamole].[connection_history].connection_id IN (
+                    SELECT connection_id
+                    FROM [guacamole].[connection]
+                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN connection_name) > 0
+                )
+
+                <if test="term.startDate != null and term.endDate != null">
+                    OR start_date BETWEEN #{term.startDate,jdbcType=TIMESTAMP} AND #{term.endDate,jdbcType=TIMESTAMP}
+                </if>
+
+            )
+        </foreach>
+
+        <!-- Bind sort property enum values for sake of readability -->
+        <bind name="START_DATE"      value="@org.apache.guacamole.net.auth.ConnectionRecordSet$SortableProperty@START_DATE"/>
+
+        <!-- Sort predicates -->
+        <foreach collection="sortPredicates" item="sortPredicate"
+                 open="ORDER BY " separator=", ">
+            <choose>
+                <when test="sortPredicate.property == START_DATE">[guacamole].[connection_history].start_date</when>
+                <otherwise>1</otherwise>
+            </choose>
+            <if test="sortPredicate.descending">DESC</if>
+        </foreach>
+
+        LIMIT #{limit,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Search for specific connection records -->
+    <select id="searchReadable" resultMap="ConnectionRecordResultMap">
+
+        SELECT
+            [guacamole].[connection_history].connection_id,
+            [guacamole].[connection_history].connection_name,
+            [guacamole].[connection_history].remote_host,
+            [guacamole].[connection_history].sharing_profile_id,
+            [guacamole].[connection_history].sharing_profile_name,
+            [guacamole].[connection_history].user_id,
+            [guacamole].[connection_history].username,
+            [guacamole].[connection_history].start_date,
+            [guacamole].[connection_history].end_date
+        FROM [guacamole].[connection_history]
+        LEFT JOIN [guacamole].[connection]            ON [guacamole].[connection_history].connection_id = [guacamole].[connection].connection_id
+        LEFT JOIN [guacamole].[user]                  ON [guacamole].[connection_history].user_id       = [guacamole].[user].user_id
+
+        <!-- Restrict to readable connections -->
+        JOIN [guacamole].[connection_permission] ON
+                [guacamole].[connection_history].connection_id = [guacamole].[connection_permission].connection_id
+            AND [guacamole].[connection_permission].user_id    = #{user.objectID,jdbcType=INTEGER}
+            AND [guacamole].[connection_permission].permission = 'READ'
+
+        <!-- Restrict to readable users -->
+        JOIN [guacamole].[user_permission] ON
+                [guacamole].[connection_history].user_id = [guacamole].[user_permission].affected_user_id
+            AND [guacamole].[user_permission].user_id    = #{user.objectID,jdbcType=INTEGER}
+            AND [guacamole].[user_permission].permission = 'READ'
+
+        <!-- Search terms -->
+        <foreach collection="terms" item="term"
+                 open="WHERE " separator=" AND ">
+            (
+
+                [guacamole].[connection_history].user_id IN (
+                    SELECT user_id
+                    FROM [guacamole].[user]
+                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN username) > 0
+                )
+
+                OR [guacamole].[connection_history].connection_id IN (
+                    SELECT connection_id
+                    FROM [guacamole].[connection]
+                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN connection_name) > 0
+                )
+
+                <if test="term.startDate != null and term.endDate != null">
+                    OR start_date BETWEEN #{term.startDate,jdbcType=TIMESTAMP} AND #{term.endDate,jdbcType=TIMESTAMP}
+                </if>
+
+            )
+        </foreach>
+
+        <!-- Bind sort property enum values for sake of readability -->
+        <bind name="START_DATE"      value="@org.apache.guacamole.net.auth.ConnectionRecordSet$SortableProperty@START_DATE"/>
+
+        <!-- Sort predicates -->
+        <foreach collection="sortPredicates" item="sortPredicate"
+                 open="ORDER BY " separator=", ">
+            <choose>
+                <when test="sortPredicate.property == START_DATE">[guacamole].[connection_history].start_date</when>
+                <otherwise>1</otherwise>
+            </choose>
+            <if test="sortPredicate.descending">DESC</if>
+        </foreach>
+
+        LIMIT #{limit,jdbcType=INTEGER}
+
+    </select>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml
new file mode 100644
index 000000000..47a3e63d5
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml
@@ -0,0 +1,232 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.connectiongroup.ConnectionGroupMapper" >
+
+    <!-- Result mapper for connection objects -->
+    <resultMap id="ConnectionGroupResultMap" type="org.apache.guacamole.auth.jdbc.connectiongroup.ConnectionGroupModel" >
+
+        <!-- Connection group properties -->
+        <id     column="connection_group_id"      property="objectID"               jdbcType="INTEGER"/>
+        <result column="connection_group_name"    property="name"                   jdbcType="VARCHAR"/>
+        <result column="parent_id"                property="parentIdentifier"       jdbcType="INTEGER"/>
+        <result column="type"                     property="type"                   jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.ConnectionGroup$Type"/>
+        <result column="max_connections"          property="maxConnections"         jdbcType="INTEGER"/>
+        <result column="max_connections_per_user" property="maxConnectionsPerUser"  jdbcType="INTEGER"/>
+        <result column="enable_session_affinity"  property="sessionAffinityEnabled" jdbcType="INTEGER"/>
+
+        <!-- Child connection groups -->
+        <collection property="connectionGroupIdentifiers" resultSet="childConnectionGroups" ofType="java.lang.String"
+                    column="connection_group_id" foreignColumn="parent_id">
+            <result column="connection_group_id"/>
+        </collection>
+
+        <!-- Child connections -->
+        <collection property="connectionIdentifiers" resultSet="childConnections" ofType="java.lang.String"
+                    column="connection_group_id" foreignColumn="parent_id">
+            <result column="connection_id"/>
+        </collection>
+
+    </resultMap>
+
+    <!-- Select all connection group identifiers -->
+    <select id="selectIdentifiers" resultType="string">
+        SELECT connection_group_id 
+        FROM [guacamole].[connection_group]
+    </select>
+
+    <!-- Select identifiers of all readable connection groups -->
+    <select id="selectReadableIdentifiers" resultType="string">
+        SELECT connection_group_id
+        FROM [guacamole].[connection_group_permission]
+        WHERE
+            user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ'
+    </select>
+
+    <!-- Select all connection identifiers within a particular connection group -->
+    <select id="selectIdentifiersWithin" resultType="string">
+        SELECT connection_group_id 
+        FROM [guacamole].[connection_group]
+        WHERE
+            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
+            <if test="parentIdentifier == null">parent_id IS NULL</if>
+    </select>
+
+    <!-- Select identifiers of all readable connection groups within a particular connection group -->
+    <select id="selectReadableIdentifiersWithin" resultType="string">
+        SELECT [guacamole].[connection_group].connection_group_id
+        FROM [guacamole].[connection_group]
+        JOIN [guacamole].[connection_group_permission] ON [guacamole].[connection_group_permission].connection_group_id = [guacamole].[connection_group].connection_group_id
+        WHERE
+            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
+            <if test="parentIdentifier == null">parent_id IS NULL</if>
+            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ'
+    </select>
+
+    <!-- Select multiple connection groups by identifier -->
+    <select id="select" resultMap="ConnectionGroupResultMap"
+            resultSets="connectionGroups,childConnectionGroups,childConnections">
+
+        SELECT
+            connection_group_id,
+            connection_group_name,
+            parent_id,
+            type,
+            max_connections,
+            max_connections_per_user,
+            enable_session_affinity
+        FROM [guacamole].[connection_group]
+        WHERE connection_group_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>;
+
+        SELECT parent_id, connection_group_id
+        FROM [guacamole].[connection_group]
+        WHERE parent_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>;
+
+        SELECT parent_id, connection_id
+        FROM [guacamole].[connection]
+        WHERE parent_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>;
+
+    </select>
+
+    <!-- Select multiple connection groups by identifier only if readable -->
+    <select id="selectReadable" resultMap="ConnectionGroupResultMap"
+            resultSets="connectionGroups,childConnectionGroups,childConnections">
+
+        SELECT
+            [guacamole].[connection_group].connection_group_id,
+            connection_group_name,
+            parent_id,
+            type,
+            max_connections,
+            max_connections_per_user,
+            enable_session_affinity
+        FROM [guacamole].[connection_group]
+        JOIN [guacamole].[connection_group_permission] ON [guacamole].[connection_group_permission].connection_group_id = [guacamole].[connection_group].connection_group_id
+        WHERE [guacamole].[connection_group].connection_group_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>
+            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ';
+
+        SELECT parent_id, [guacamole].[connection_group].connection_group_id
+        FROM [guacamole].[connection_group]
+        JOIN [guacamole].[connection_group_permission] ON [guacamole].[connection_group_permission].connection_group_id = [guacamole].[connection_group].connection_group_id
+        WHERE parent_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>
+            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ';
+
+        SELECT parent_id, [guacamole].[connection].connection_id
+        FROM [guacamole].[connection]
+        JOIN [guacamole].[connection_permission] ON [guacamole].[connection_permission].connection_id = [guacamole].[connection].connection_id
+        WHERE parent_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>
+            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ';
+
+    </select>
+
+    <!-- Select single connection group by name -->
+    <select id="selectOneByName" resultMap="ConnectionGroupResultMap">
+
+        SELECT
+            connection_group_id,
+            connection_group_name,
+            parent_id,
+            type,
+            max_connections,
+            max_connections_per_user,
+            enable_session_affinity
+        FROM [guacamole].[connection_group]
+        WHERE 
+            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
+            <if test="parentIdentifier == null">parent_id IS NULL</if>
+            AND connection_group_name = #{name,jdbcType=VARCHAR}
+
+    </select>
+
+    <!-- Delete single connection group by identifier -->
+    <delete id="delete">
+        DELETE FROM [guacamole].[connection_group]
+        WHERE connection_group_id = #{identifier,jdbcType=INTEGER}
+    </delete>
+
+    <!-- Insert single connection -->
+    <insert id="insert" useGeneratedKeys="true" keyProperty="object.objectID"
+            parameterType="org.apache.guacamole.auth.jdbc.connectiongroup.ConnectionGroupModel">
+
+        INSERT INTO [guacamole].[connection_group] (
+            connection_group_name,
+            parent_id,
+            type,
+            max_connections,
+            max_connections_per_user,
+            enable_session_affinity
+        )
+        VALUES (
+            #{object.name,jdbcType=VARCHAR},
+            #{object.parentIdentifier,jdbcType=INTEGER},
+            #{object.type,jdbcType=VARCHAR},
+            #{object.maxConnections,jdbcType=INTEGER},
+            #{object.maxConnectionsPerUser,jdbcType=INTEGER},
+            #{object.sessionAffinityEnabled,jdbcType=INTEGER}
+        )
+
+    </insert>
+
+    <!-- Update single connection group -->
+    <update id="update" parameterType="org.apache.guacamole.auth.jdbc.connectiongroup.ConnectionGroupModel">
+        UPDATE [guacamole].[connection_group]
+        SET connection_group_name    = #{object.name,jdbcType=VARCHAR},
+            parent_id                = #{object.parentIdentifier,jdbcType=INTEGER},
+            type                     = #{object.type,jdbcType=VARCHAR},
+            max_connections          = #{object.maxConnections,jdbcType=INTEGER},
+            max_connections_per_user = #{object.maxConnectionsPerUser,jdbcType=INTEGER},
+            enable_session_affinity  = #{object.sessionAffinityEnabled,jdbcType=INTEGER}
+        WHERE connection_group_id = #{object.objectID,jdbcType=INTEGER}
+    </update>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml
new file mode 100644
index 000000000..2890ab31d
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.permission.ConnectionGroupPermissionMapper" >
+
+    <!-- Result mapper for connection permissions -->
+    <resultMap id="ConnectionGroupPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+        <result column="user_id"             property="userID"           jdbcType="INTEGER"/>
+        <result column="username"            property="username"         jdbcType="VARCHAR"/>
+        <result column="permission"          property="type"             jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
+        <result column="connection_group_id" property="objectIdentifier" jdbcType="INTEGER"/>
+    </resultMap>
+
+    <!-- Select all permissions for a given user -->
+    <select id="select" resultMap="ConnectionGroupPermissionResultMap">
+
+        SELECT
+            [guacamole].[connection_group_permission].user_id,
+            username,
+            permission,
+            connection_group_id
+        FROM [guacamole].[connection_group_permission]
+        JOIN [guacamole].[user] ON [guacamole].[connection_group_permission].user_id = [guacamole].[user].user_id
+        WHERE [guacamole].[connection_group_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select the single permission matching the given criteria -->
+    <select id="selectOne" resultMap="ConnectionGroupPermissionResultMap">
+
+        SELECT
+            [guacamole].[connection_group_permission].user_id,
+            username,
+            permission,
+            connection_group_id
+        FROM [guacamole].[connection_group_permission]
+        JOIN [guacamole].[user] ON [guacamole].[connection_group_permission].user_id = [guacamole].[user].user_id
+        WHERE
+            [guacamole].[connection_group_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = #{type,jdbcType=VARCHAR}
+            AND connection_group_id = #{identifier,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <select id="selectAccessibleIdentifiers" resultType="string">
+
+        SELECT DISTINCT connection_group_id 
+        FROM [guacamole].[connection_group_permission]
+        WHERE
+            user_id = #{user.objectID,jdbcType=INTEGER}
+            AND connection_group_id IN
+                <foreach collection="identifiers" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=INTEGER}
+                </foreach>
+            AND permission IN
+                <foreach collection="permissions" item="permission"
+                         open="(" separator="," close=")">
+                    #{permission,jdbcType=VARCHAR}
+                </foreach>
+
+    </select>
+
+    <!-- Delete all given permissions -->
+    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        DELETE FROM [guacamole].[connection_group_permission]
+        WHERE (user_id, permission, connection_group_id) IN
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="," close=")">
+                (#{permission.userID,jdbcType=INTEGER},
+                 #{permission.type,jdbcType=VARCHAR},
+                 #{permission.objectIdentifier,jdbcType=INTEGER})
+            </foreach>
+
+    </delete>
+
+    <!-- Insert all given permissions -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        INSERT INTO [guacamole].[connection_group_permission] (
+            user_id,
+            permission,
+            connection_group_id
+        )
+        SELECT DISTINCT
+            permissions.user_id,
+            permissions.permission,
+            permissions.connection_group_id
+        FROM
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="UNION ALL" close=")">
+                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                       #{permission.type,jdbcType=VARCHAR} AS permission,
+                       #{permission.objectIdentifier,jdbcType=INTEGER} AS connection_group_id
+            </foreach>
+        AS permissions
+        WHERE (user_id, permission, connection_group_id) NOT IN (
+            SELECT
+                [guacamole].[connection_group_permission].user_id,
+                [guacamole].[connection_group_permission].permission,
+                [guacamole].[connection_group_permission].connection_group_id
+            FROM [guacamole].[connection_group_permission]
+        );
+
+    </insert>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionMapper.xml
new file mode 100644
index 000000000..8ea85bc3c
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionMapper.xml
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.permission.ConnectionPermissionMapper" >
+
+    <!-- Result mapper for connection permissions -->
+    <resultMap id="ConnectionPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+        <result column="user_id"       property="userID"           jdbcType="INTEGER"/>
+        <result column="username"      property="username"         jdbcType="VARCHAR"/>
+        <result column="permission"    property="type"             jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
+        <result column="connection_id" property="objectIdentifier" jdbcType="INTEGER"/>
+    </resultMap>
+
+    <!-- Select all permissions for a given user -->
+    <select id="select" resultMap="ConnectionPermissionResultMap">
+
+        SELECT
+            [guacamole].[connection_permission].user_id,
+            username,
+            permission,
+            connection_id
+        FROM [guacamole].[connection_permission]
+        JOIN [guacamole].[user] ON [guacamole].[connection_permission].user_id = [guacamole].[user].user_id
+        WHERE [guacamole].[connection_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select the single permission matching the given criteria -->
+    <select id="selectOne" resultMap="ConnectionPermissionResultMap">
+
+        SELECT
+            [guacamole].[connection_permission].user_id,
+            username,
+            permission,
+            connection_id
+        FROM [guacamole].[connection_permission]
+        JOIN [guacamole].[user] ON [guacamole].[connection_permission].user_id = [guacamole].[user].user_id
+        WHERE
+            [guacamole].[connection_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = #{type,jdbcType=VARCHAR}
+            AND connection_id = #{identifier,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <select id="selectAccessibleIdentifiers" resultType="string">
+
+        SELECT DISTINCT connection_id 
+        FROM [guacamole].[connection_permission]
+        WHERE
+            user_id = #{user.objectID,jdbcType=INTEGER}
+            AND connection_id IN
+                <foreach collection="identifiers" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=INTEGER}
+                </foreach>
+            AND permission IN
+                <foreach collection="permissions" item="permission"
+                         open="(" separator="," close=")">
+                    #{permission,jdbcType=VARCHAR}
+                </foreach>
+
+    </select>
+
+    <!-- Delete all given permissions -->
+    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        DELETE FROM [guacamole].[connection_permission]
+        WHERE (user_id, permission, connection_id) IN
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="," close=")">
+                (#{permission.userID,jdbcType=INTEGER},
+                 #{permission.type,jdbcType=VARCHAR},
+                 #{permission.objectIdentifier,jdbcType=INTEGER})
+            </foreach>
+
+    </delete>
+
+    <!-- Insert all given permissions -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        INSERT INTO [guacamole].[connection_permission] (
+            user_id,
+            permission,
+            connection_id
+        )
+        SELECT DISTINCT
+            permissions.user_id,
+            permissions.permission,
+            permissions.connection_id
+        FROM
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="UNION ALL" close=")">
+                SELECT #{permission.userID,jdbcType=INTEGER} AS user_id,
+                       #{permission.type,jdbcType=VARCHAR} AS permission,
+                       #{permission.objectIdentifier,jdbcType=INTEGER} AS connection_id
+            </foreach>
+        AS permissions
+        WHERE (user_id, permission, connection_id) NOT IN (
+            SELECT
+                [guacamole].[connection_permission].user_id,
+                [guacamole].[connection_permission].permission,
+                [guacamole].[connection_permission].connection_id
+            FROM [guacamole].[connection_permission]
+        );
+
+    </insert>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionMapper.xml
new file mode 100644
index 000000000..cb706b8d4
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionMapper.xml
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionMapper">
+
+    <!-- Result mapper for sharing profile permissions -->
+    <resultMap id="SharingProfilePermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+        <result column="user_id"            property="userID"           jdbcType="INTEGER"/>
+        <result column="username"           property="username"         jdbcType="VARCHAR"/>
+        <result column="permission"         property="type"             jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
+        <result column="sharing_profile_id" property="objectIdentifier" jdbcType="INTEGER"/>
+    </resultMap>
+
+    <!-- Select all permissions for a given user -->
+    <select id="select" resultMap="SharingProfilePermissionResultMap">
+
+        SELECT
+            [guacamole].[sharing_profile_permission].user_id,
+            username,
+            permission,
+            sharing_profile_id
+        FROM [guacamole].[sharing_profile_permission]
+        JOIN [guacamole].[user] ON [guacamole].[sharing_profile_permission].user_id = [guacamole].[user].user_id
+        WHERE [guacamole].[sharing_profile_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select the single permission matching the given criteria -->
+    <select id="selectOne" resultMap="SharingProfilePermissionResultMap">
+
+        SELECT
+            [guacamole].[sharing_profile_permission].user_id,
+            username,
+            permission,
+            sharing_profile_id
+        FROM [guacamole].[sharing_profile_permission]
+        JOIN [guacamole].[user] ON [guacamole].[sharing_profile_permission].user_id = [guacamole].[user].user_id
+        WHERE
+            [guacamole].[sharing_profile_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = #{type,jdbcType=VARCHAR}
+            AND sharing_profile_id = #{identifier,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <select id="selectAccessibleIdentifiers" resultType="string">
+
+        SELECT DISTINCT sharing_profile_id
+        FROM [guacamole].[sharing_profile_permission]
+        WHERE
+            user_id = #{user.objectID,jdbcType=INTEGER}
+            AND sharing_profile_id IN
+                <foreach collection="identifiers" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=INTEGER}
+                </foreach>
+            AND permission IN
+                <foreach collection="permissions" item="permission"
+                         open="(" separator="," close=")">
+                    #{permission,jdbcType=VARCHAR}
+                </foreach>
+
+    </select>
+
+    <!-- Delete all given permissions -->
+    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        DELETE FROM [guacamole].[sharing_profile_permission]
+        WHERE (user_id, permission, sharing_profile_id) IN
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="," close=")">
+                (#{permission.userID,jdbcType=INTEGER},
+                 #{permission.type,jdbcType=VARCHAR},
+                 #{permission.objectIdentifier,jdbcType=INTEGER})
+            </foreach>
+
+    </delete>
+
+    <!-- Insert all given permissions -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        INSERT INTO [guacamole].[sharing_profile_permission] (
+            user_id,
+            permission,
+            sharing_profile_id
+        )
+        SELECT DISTINCT
+            permissions.user_id,
+            permissions.permission,
+            permissions.sharing_profile_id
+        FROM
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="UNION ALL" close=")">
+                SELECT #{permission.userID,jdbcType=INTEGER} AS user_id,
+                       #{permission.type,jdbcType=VARCHAR} AS permission,
+                       #{permission.objectIdentifier,jdbcType=INTEGER} AS sharing_profile_id
+            </foreach>
+        AS permissions
+        WHERE (user_id, permission, sharing_profile_id) NOT IN (
+            SELECT
+                [guacamole].[sharing_profile_permission].user_id,
+                [guacamole].[sharing_profile_permission].permission,
+                [guacamole].[sharing_profile_permission].sharing_profile_id
+            FROM [guacamole].[sharing_profile_permission]
+        );
+
+    </insert>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.xml
new file mode 100644
index 000000000..d9e622b69
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.permission.SystemPermissionMapper" >
+
+    <!-- Result mapper for system permissions -->
+    <resultMap id="SystemPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.SystemPermissionModel">
+        <result column="user_id"    property="userID"   jdbcType="INTEGER"/>
+        <result column="username"   property="username" jdbcType="VARCHAR"/>
+        <result column="permission" property="type"     jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.permission.SystemPermission$Type"/>
+    </resultMap>
+
+    <!-- Select all permissions for a given user -->
+    <select id="select" resultMap="SystemPermissionResultMap">
+
+        SELECT
+            [guacamole].[system_permission].user_id,
+            username,
+            permission
+        FROM [guacamole].[system_permission]
+        JOIN [guacamole].[user] ON [guacamole].[system_permission].user_id = [guacamole].[user].user_id
+        WHERE [guacamole].[system_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select the single permission matching the given criteria -->
+    <select id="selectOne" resultMap="SystemPermissionResultMap">
+
+        SELECT
+            [guacamole].[system_permission].user_id,
+            username,
+            permission
+        FROM [guacamole].[system_permission]
+        JOIN [guacamole].[user] ON [guacamole].[system_permission].user_id = [guacamole].[user].user_id
+        WHERE
+            [guacamole].[system_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = #{type,jdbcType=VARCHAR}
+
+    </select>
+
+    <!-- Delete all given permissions -->
+    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.SystemPermissionModel">
+
+        DELETE FROM [guacamole].[system_permission]
+        WHERE (user_id, permission) IN
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="," close=")">
+                (#{permission.userID,jdbcType=INTEGER},
+                 #{permission.type,jdbcType=VARCHAR})
+            </foreach>
+
+    </delete>
+
+    <!-- Insert all given permissions -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.SystemPermissionModel">
+
+        INSERT INTO [guacamole].[system_permission] (
+            user_id,
+            permission
+        )
+        SELECT DISTINCT
+            permissions.user_id,
+            permissions.permission
+        FROM
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="UNION ALL" close=")">
+                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                       #{permission.type,jdbcType=VARCHAR} AS permission
+            </foreach>
+        AS permissions
+        WHERE (user_id, permission) NOT IN (
+            SELECT
+                [guacamole].[system_permission].user_id,
+                [guacamole].[system_permission].permission
+            FROM [guacamole].[system_permission]
+        );
+
+    </insert>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserPermissionMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserPermissionMapper.xml
new file mode 100644
index 000000000..595c3263d
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserPermissionMapper.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.permission.UserPermissionMapper" >
+
+    <!-- Result mapper for user permissions -->
+    <resultMap id="UserPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+        <result column="user_id"           property="userID"           jdbcType="INTEGER"/>
+        <result column="username"          property="username"         jdbcType="VARCHAR"/>
+        <result column="permission"        property="type"             jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
+        <result column="affected_username" property="objectIdentifier" jdbcType="INTEGER"/>
+    </resultMap>
+
+    <!-- Select all permissions for a given user -->
+    <select id="select" resultMap="UserPermissionResultMap">
+
+        SELECT
+            [guacamole].[user_permission].user_id,
+            [guacamole].[user].username,
+            permission,
+            affected.username AS affected_username
+        FROM [guacamole].[user_permission]
+        JOIN [guacamole].[user] ON [guacamole].[user_permission].user_id = [guacamole].[user].user_id
+        JOIN [guacamole].[user] affected ON [guacamole].[user_permission].affected_user_id = affected.user_id
+        WHERE [guacamole].[user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select the single permission matching the given criteria -->
+    <select id="selectOne" resultMap="UserPermissionResultMap">
+
+        SELECT
+            [guacamole].[user_permission].user_id,
+            [guacamole].[user].username,
+            permission,
+            affected.username AS affected_username
+        FROM [guacamole].[user_permission]
+        JOIN [guacamole].[user] ON [guacamole].[user_permission].user_id = [guacamole].[user].user_id
+        JOIN [guacamole].[user] affected ON [guacamole].[user_permission].affected_user_id = affected.user_id
+        WHERE
+            [guacamole].[user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = #{type,jdbcType=VARCHAR}
+            AND affected.username = #{identifier,jdbcType=INTEGER}
+
+    </select>
+
+    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <select id="selectAccessibleIdentifiers" resultType="string">
+
+        SELECT DISTINCT username
+        FROM [guacamole].[user_permission]
+        JOIN [guacamole].[user] ON [guacamole].[user_permission].affected_user_id = [guacamole].[user].user_id
+        WHERE
+            [guacamole].[user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND username IN
+                <foreach collection="identifiers" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=INTEGER}
+                </foreach>
+            AND permission IN
+                <foreach collection="permissions" item="permission"
+                         open="(" separator="," close=")">
+                    #{permission,jdbcType=VARCHAR}
+                </foreach>
+
+    </select>
+
+    <!-- Delete all given permissions -->
+    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        DELETE FROM [guacamole].[user_permission]
+        USING [guacamole].[user] affected
+        WHERE
+            [guacamole].[user_permission].affected_user_id = affected.user_id
+            AND ([guacamole].[user_permission].user_id, permission, affected.username) IN
+                <foreach collection="permissions" item="permission"
+                         open="(" separator="," close=")">
+                    (#{permission.userID,jdbcType=INTEGER},
+                     #{permission.type,jdbcType=VARCHAR},
+                     #{permission.objectIdentifier,jdbcType=INTEGER})
+                </foreach>
+
+    </delete>
+
+    <!-- Insert all given permissions -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        INSERT INTO [guacamole].[user_permission] (
+            user_id,
+            permission,
+            affected_user_id
+        )
+        SELECT DISTINCT
+            permissions.user_id,
+            permissions.permission,
+            [guacamole].[user].user_id
+        FROM
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="UNION ALL" close=")">
+                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                       #{permission.type,jdbcType=VARCHAR} AS permission,
+                       #{permission.objectIdentifier,jdbcType=INTEGER}                       AS username
+            </foreach>
+        AS permissions
+        JOIN [guacamole].[user] ON [guacamole].[user].username = permissions.username
+        WHERE (permissions.user_id, permissions.permission, [guacamole].[user].user_id) NOT IN (
+            SELECT
+                [guacamole].[user_permission].user_id,
+                [guacamole].[user_permission].permission,
+                [guacamole].[user_permission].affected_user_id
+            FROM [guacamole].[user_permission]
+        );
+
+    </insert>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
new file mode 100644
index 000000000..9d7d45abd
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileMapper">
+
+    <!-- Result mapper for sharing profile objects -->
+    <resultMap id="SharingProfileResultMap" type="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileModel">
+        <id     column="sharing_profile_id"    property="objectID"         jdbcType="INTEGER"/>
+        <result column="sharing_profile_name"  property="name"             jdbcType="VARCHAR"/>
+        <result column="primary_connection_id" property="parentIdentifier" jdbcType="INTEGER"/>
+    </resultMap>
+
+    <!-- Select all sharing profile identifiers -->
+    <select id="selectIdentifiers" resultType="string">
+        SELECT sharing_profile_id
+        FROM [guacamole].[sharing_profile]
+    </select>
+
+    <!-- Select identifiers of all readable sharing profiles -->
+    <select id="selectReadableIdentifiers" resultType="string">
+        SELECT sharing_profile_id
+        FROM [guacamole].[sharing_profile_permission]
+        WHERE
+            user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ'
+    </select>
+
+    <!-- Select multiple sharing profiles by identifier -->
+    <select id="select" resultMap="SharingProfileResultMap">
+
+        SELECT
+            sharing_profile_id,
+            sharing_profile_name,
+            primary_connection_id
+        FROM [guacamole].[sharing_profile]
+        WHERE sharing_profile_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>
+
+    </select>
+
+    <!-- Select multiple sharing profiles by identifier only if readable -->
+    <select id="selectReadable" resultMap="SharingProfileResultMap">
+
+        SELECT
+            [guacamole].[sharing_profile].sharing_profile_id,
+            [guacamole].[sharing_profile].sharing_profile_name,
+            primary_connection_id
+        FROM [guacamole].[sharing_profile]
+        JOIN [guacamole].[sharing_profile_permission] ON [guacamole].[sharing_profile_permission].sharing_profile_id = [guacamole].[sharing_profile].sharing_profile_id
+        WHERE [guacamole].[sharing_profile].sharing_profile_id IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=INTEGER}
+            </foreach>
+            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ'
+
+    </select>
+
+    <!-- Select single sharing profile by name -->
+    <select id="selectOneByName" resultMap="SharingProfileResultMap">
+
+        SELECT
+            sharing_profile_id,
+            sharing_profile_name,
+            primary_connection_id
+        FROM [guacamole].[sharing_profile]
+        WHERE 
+            primary_connection_id = #{parentIdentifier,jdbcType=INTEGER}
+            AND sharing_profile_name = #{name,jdbcType=VARCHAR}
+
+    </select>
+
+    <!-- Delete single sharing profile by identifier -->
+    <delete id="delete">
+        DELETE FROM [guacamole].[sharing_profile]
+        WHERE sharing_profile_id = #{identifier,jdbcType=INTEGER}
+    </delete>
+
+    <!-- Insert single sharing profile -->
+    <insert id="insert" useGeneratedKeys="true" keyProperty="object.objectID"
+            parameterType="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileModel">
+
+        INSERT INTO [guacamole].[sharing_profile] (
+            sharing_profile_name,
+            primary_connection_id
+        )
+        VALUES (
+            #{object.name,jdbcType=VARCHAR},
+            #{object.parentIdentifier,jdbcType=INTEGER}
+        )
+
+    </insert>
+
+    <!-- Update single sharing profile -->
+    <update id="update" parameterType="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileModel">
+        UPDATE [guacamole].[sharing_profile]
+        SET sharing_profile_name  = #{object.name,jdbcType=VARCHAR},
+            primary_connection_id = #{object.parentIdentifier,jdbcType=INTEGER}
+        WHERE sharing_profile_id = #{object.objectID,jdbcType=INTEGER}
+    </update>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileParameterMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileParameterMapper.xml
new file mode 100644
index 000000000..8835350b7
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileParameterMapper.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterMapper">
+
+    <!-- Result mapper for sharing profile parameters -->
+    <resultMap id="ParameterResultMap" type="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterModel">
+        <result column="sharing_profile_id" property="sharingProfileIdentifier" jdbcType="INTEGER"/>
+        <result column="parameter_name"     property="name"                     jdbcType="VARCHAR"/>
+        <result column="parameter_value"    property="value"                    jdbcType="VARCHAR"/>
+    </resultMap>
+
+    <!-- Select all parameters of a given sharing profile -->
+    <select id="select" resultMap="ParameterResultMap">
+        SELECT
+            sharing_profile_id,
+            parameter_name,
+            parameter_value
+        FROM [guacamole].[sharing_profile_parameter]
+        WHERE
+            sharing_profile_id = #{identifier,jdbcType=INTEGER}
+    </select>
+
+    <!-- Delete all parameters of a given sharing profile -->
+    <delete id="delete">
+        DELETE FROM [guacamole].[sharing_profile_parameter]
+        WHERE sharing_profile_id = #{identifier,jdbcType=INTEGER}
+    </delete>
+
+    <!-- Insert all given parameters -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterModel">
+
+        INSERT INTO [guacamole].[sharing_profile_parameter] (
+            sharing_profile_id,
+            parameter_name,
+            parameter_value
+        )
+        VALUES 
+            <foreach collection="parameters" item="parameter" separator=",">
+                (#{parameter.sharingProfileIdentifier,jdbcType=INTEGER}
+                 #{parameter.name,jdbcType=VARCHAR},
+                 #{parameter.value,jdbcType=VARCHAR})
+            </foreach>
+
+    </insert>
+
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml
new file mode 100644
index 000000000..9ad67a6f3
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.user.PasswordRecordMapper" >
+
+    <!-- Result mapper for historical passwords -->
+    <resultMap id="PasswordRecordResultMap" type="org.apache.guacamole.auth.jdbc.user.PasswordRecordModel">
+        <result column="user_id"       property="userID"       jdbcType="INTEGER"/>
+        <result column="password_hash" property="passwordHash" jdbcType="BINARY"/>
+        <result column="password_salt" property="passwordSalt" jdbcType="BINARY"/>
+        <result column="password_date" property="passwordDate" jdbcType="TIMESTAMP"/>
+    </resultMap>
+
+    <!-- Select all password records for a given user -->
+    <select id="select" resultMap="PasswordRecordResultMap">
+
+        SELECT
+            [guacamole].[user_password_history].user_id,
+            [guacamole].[user_password_history].password_hash,
+            [guacamole].[user_password_history].password_salt,
+            [guacamole].[user_password_history].password_date
+        FROM [guacamole].[user_password_history]
+        JOIN [guacamole].[user] ON [guacamole].[user_password_history].user_id = [guacamole].[user].user_id
+        WHERE
+            [guacamole].[user].username = #{username,jdbcType=VARCHAR}
+        ORDER BY
+            [guacamole].[user_password_history].password_date DESC
+        LIMIT #{maxHistorySize}
+
+    </select>
+
+    <!-- Insert the given password record -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.user.PasswordRecordModel">
+
+        INSERT INTO [guacamole].[user_password_history] (
+            user_id,
+            password_hash,
+            password_salt,
+            password_date
+        )
+        VALUES (
+            #{record.userID,jdbcType=INTEGER},
+            #{record.passwordHash,jdbcType=BINARY},
+            #{record.passwordSalt,jdbcType=BINARY},
+            #{record.passwordDate,jdbcType=TIMESTAMP}
+        );
+
+        DELETE FROM [guacamole].[user_password_history]
+        WHERE password_history_id IN (
+            SELECT password_history_id
+            FROM [guacamole].[user_password_history]
+            WHERE user_id = #{record.userID,jdbcType=INTEGER}
+            ORDER BY password_date DESC
+            OFFSET #{maxHistorySize}
+        );
+
+    </insert>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml
new file mode 100644
index 000000000..a4ceea79e
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml
@@ -0,0 +1,216 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.user.UserMapper" >
+
+    <!-- Result mapper for user objects -->
+    <resultMap id="UserResultMap" type="org.apache.guacamole.auth.jdbc.user.UserModel" >
+        <id     column="user_id"             property="objectID"           jdbcType="INTEGER"/>
+        <result column="username"            property="identifier"         jdbcType="VARCHAR"/>
+        <result column="password_hash"       property="passwordHash"       jdbcType="BINARY"/>
+        <result column="password_salt"       property="passwordSalt"       jdbcType="BINARY"/>
+        <result column="password_date"       property="passwordDate"       jdbcType="TIMESTAMP"/>
+        <result column="disabled"            property="disabled"           jdbcType="INTEGER"/>
+        <result column="expired"             property="expired"            jdbcType="INTEGER"/>
+        <result column="access_window_start" property="accessWindowStart"  jdbcType="TIME"/>
+        <result column="access_window_end"   property="accessWindowEnd"    jdbcType="TIME"/>
+        <result column="valid_from"          property="validFrom"          jdbcType="DATE"/>
+        <result column="valid_until"         property="validUntil"         jdbcType="DATE"/>
+        <result column="timezone"            property="timeZone"           jdbcType="VARCHAR"/>
+        <result column="full_name"           property="fullName"           jdbcType="VARCHAR"/>
+        <result column="email_address"       property="emailAddress"       jdbcType="VARCHAR"/>
+        <result column="organization"        property="organization"       jdbcType="VARCHAR"/>
+        <result column="organizational_role" property="organizationalRole" jdbcType="VARCHAR"/>
+    </resultMap>
+
+    <!-- Select all usernames -->
+    <select id="selectIdentifiers" resultType="string">
+        SELECT username
+        FROM [guacamole].[user]
+    </select>
+
+    <!-- Select usernames of all readable users -->
+    <select id="selectReadableIdentifiers" resultType="string">
+        SELECT username
+        FROM [guacamole].[user]
+        JOIN [guacamole].[user_permission] ON affected_user_id = [guacamole].[user].user_id
+        WHERE
+            [guacamole].[user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ'
+    </select>
+
+    <!-- Select multiple users by username -->
+    <select id="select" resultMap="UserResultMap">
+
+        SELECT
+            user_id,
+            username,
+            password_hash,
+            password_salt,
+            password_date,
+            disabled,
+            expired,
+            access_window_start,
+            access_window_end,
+            valid_from,
+            valid_until,
+            timezone,
+            full_name,
+            email_address,
+            organization,
+            organizational_role
+        FROM [guacamole].[user]
+        WHERE username IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+
+    </select>
+
+    <!-- Select multiple users by username only if readable -->
+    <select id="selectReadable" resultMap="UserResultMap">
+
+        SELECT
+            [guacamole].[user].user_id,
+            username,
+            password_hash,
+            password_salt,
+            password_date,
+            disabled,
+            expired,
+            access_window_start,
+            access_window_end,
+            valid_from,
+            valid_until,
+            timezone,
+            full_name,
+            email_address,
+            organization,
+            organizational_role
+        FROM [guacamole].[user]
+        JOIN [guacamole].[user_permission] ON affected_user_id = [guacamole].[user].user_id
+        WHERE username IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole].[user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND permission = 'READ'
+
+    </select>
+
+    <!-- Select single user by username -->
+    <select id="selectOne" resultMap="UserResultMap">
+
+        SELECT
+            user_id,
+            username,
+            password_hash,
+            password_salt,
+            password_date,
+            disabled,
+            expired,
+            access_window_start,
+            access_window_end,
+            valid_from,
+            valid_until,
+            timezone,
+            full_name,
+            email_address,
+            organization,
+            organizational_role
+        FROM [guacamole].[user]
+        WHERE
+            username = #{username,jdbcType=VARCHAR}
+
+    </select>
+
+    <!-- Delete single user by username -->
+    <delete id="delete">
+        DELETE FROM [guacamole].[user]
+        WHERE username = #{identifier,jdbcType=VARCHAR}
+    </delete>
+
+    <!-- Insert single user -->
+    <insert id="insert" useGeneratedKeys="true" keyProperty="object.objectID"
+            parameterType="org.apache.guacamole.auth.jdbc.user.UserModel">
+
+        INSERT INTO [guacamole].[user] (
+            username,
+            password_hash,
+            password_salt,
+            password_date,
+            disabled,
+            expired,
+            access_window_start,
+            access_window_end,
+            valid_from,
+            valid_until,
+            timezone,
+            full_name,
+            email_address,
+            organization,
+            organizational_role
+        )
+        VALUES (
+            #{object.identifier,jdbcType=VARCHAR},
+            #{object.passwordHash,jdbcType=BINARY},
+            #{object.passwordSalt,jdbcType=BINARY},
+            #{object.passwordDate,jdbcType=TIMESTAMP},
+            #{object.disabled,jdbcType=INTEGER},
+            #{object.expired,jdbcType=INTEGER},
+            #{object.accessWindowStart,jdbcType=TIME},
+            #{object.accessWindowEnd,jdbcType=TIME},
+            #{object.validFrom,jdbcType=DATE},
+            #{object.validUntil,jdbcType=DATE},
+            #{object.timeZone,jdbcType=VARCHAR},
+            #{object.fullName,jdbcType=VARCHAR},
+            #{object.emailAddress,jdbcType=VARCHAR},
+            #{object.organization,jdbcType=VARCHAR},
+            #{object.organizationalRole,jdbcType=VARCHAR}
+        )
+
+    </insert>
+
+    <!-- Update single user -->
+    <update id="update" parameterType="org.apache.guacamole.auth.jdbc.user.UserModel">
+        UPDATE [guacamole].[user]
+        SET password_hash = #{object.passwordHash,jdbcType=BINARY},
+            password_salt = #{object.passwordSalt,jdbcType=BINARY},
+            password_date = #{object.passwordDate,jdbcType=TIMESTAMP},
+            disabled = #{object.disabled,jdbcType=INTEGER},
+            expired = #{object.expired,jdbcType=INTEGER},
+            access_window_start = #{object.accessWindowStart,jdbcType=TIME},
+            access_window_end = #{object.accessWindowEnd,jdbcType=TIME},
+            valid_from = #{object.validFrom,jdbcType=DATE},
+            valid_until = #{object.validUntil,jdbcType=DATE},
+            timezone = #{object.timeZone,jdbcType=VARCHAR},
+            full_name = #{object.fullName,jdbcType=VARCHAR},
+            email_address = #{object.emailAddress,jdbcType=VARCHAR},
+            organization = #{object.organization,jdbcType=VARCHAR},
+            organizational_role = #{object.organizationalRole,jdbcType=VARCHAR}
+        WHERE user_id = #{object.objectID,jdbcType=VARCHAR}
+    </update>
+
+</mapper>
diff --git a/extensions/guacamole-auth-jdbc/pom.xml b/extensions/guacamole-auth-jdbc/pom.xml
index 2a5ef5b2b..7869c8650 100644
--- a/extensions/guacamole-auth-jdbc/pom.xml
+++ b/extensions/guacamole-auth-jdbc/pom.xml
@@ -70,6 +70,7 @@
         <!-- Database-specific implementations -->
         <module>modules/guacamole-auth-jdbc-mysql</module>
         <module>modules/guacamole-auth-jdbc-postgresql</module>
+        <module>modules/guacamole-auth-jdbc-sqlserver</module>
 
     </modules>