Someone have success to connect a Dockerized .NET Core API 2.2 with SQL Server located in external client cloud server through Kerberos?
Here we're facing these issues:
Scenario 1:
If we use a connection string like this:
Server=tcp:SERVER_IP_ADDRESS,1433; Database=DB_NAME; User Id=USER; Password=PASSWORD;
then, it takes a long time and throws the exception like this:
SqlException: A connection was successfully established with the server, but then an error occurred during the login process. (provider: TCP Provider, error: 0 - Success)
Scenario 2:
If we use a connection string like this:
Server=tcp:SERVER_IP_ADDRESS,1433; Database=DB_NAME; User Id=USER; Password=PASSWORD; Trusted_Connection=True;
then, the exception is:
SqlException: Cannot authenticate using Kerberos.
Ensure Kerberos has been initialized on the client with 'kinit' and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.
ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure.Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate).
So, our hands are tied and we don't know where to run.
Can u help us?
Thanks in advance.
If you don't need strictly kerberos to authenthicate, just use sql user nad password.
To do that create a user on sql server only (not in windows, use ssms to do it or sql script) and use that user, not the windows one.
It seems that you don't use sql server authentication, at least you don't use sql server user but a windows one and sql server tries to authenthicate that user in AD instead authenticating it locally on sql server.
However if you want to use Windows auth, you probably would need to use windows containers and gMSA accounts, see https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-run-container
Related
My Perl IIS web application is getting an SSL Error when the Perl DBI tries to connect to my MS SQL Server database version 11.0.7001 (that's what is listed in SQL Server Manager). The Perl application runs under IIS, and my IIS Basic User Settings Connection is set to Specific User (Domain Administrator).
The SQL Sever database resides on the same system as IIS. The distribution of Perl is Strawberry Perl; IIS' version is 8.5.9600.16384.
I can connect to the database using the SQL Server Manager locally on the server as well as remotely from my workstation. The connection type is SQL username and password. The IIS application listens on port 8085. The IIS permissions are not restricted, and there is no SQL server connection string as part of IIS.
The first page of the application loads, but this first page does not try to connect to the SQL Server database.
I have been looking at Stackoverflow posts -- like this one -- for a while, and have tried some of the suggestions like making a system DSN (which tests correctly), instead of a DSN string in Perl.
None of the suggestions have helped, and many but not all of the posts are dealing with security and certificates, not an application that is behind a firewall. In other words, I do not have security turned on.
To the best of my knowledge there is no security turned on for this application, and Named Pipes and TCP/IP were already turned on, as was suggested in one of the posts I read.
Here is the error:
[Microsoft][ODBC SQL Server Driver][DBMSLPCN]ConnectionOpen (SECCreateCredentials()). (SQL-01000) at ../../include/DbArgs.pm line 266.
DBI connect('driver={SQL Server};server=arlsql\arlsql;database=BuildingPermit;uid=user;pwd=pwd','',...) failed: [Microsoft][ODBC SQL Server Driver][DBMSLPCN]SSL Security error (SQL-08001) [state was 08001 now 01000]
Any suggestions on what to try next would be appreciated.
Edit 1/6/2020
I need to add that my C# client application using .Net ODBC objects successfully accesses the same database on which the web-based Perl DBI code fails. The username and password are the same for the client application as that used in the Perl CGI.
The IIS user for this application runs as the domain administrator, but when creating the DBI connection uses the same username and password. The database is set up for SQL username and password, and, as stated previously, there is no security set, at least that I can tell.
This does not answer the question but is instead a workaround. I consider the following a workaround, because I would still like to know why the DBI call failed with a specific user.
I switched my IIS Basic User Settings Connection from Specific User (Domain Administrator) to Application User (pass-through authentication).
After making this change and restarting IIS, the Perl DBI connection worked, but why?
From Windows using SQL Server Management Studio (SSMS), I can only connect to a SQL Server on a different domain as follows:
C:\> runas /netonly /user:differentDomainName\aUserName "C:\Program Files (x86
)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe -S anIpAddress"
How can I accomplish this connection via JDBC? I've tried using the following connection string with Microsoft's sqljdbc 4.2 driver:
jdbc:sqlserver://anIpAddress:1433;database=MAIN;user=differentDomainName\\aUserName;password=pass
I receive the following error:
com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'differentDomainName\aUserName'
This is the same error that I receive if I start SSMS without using runas and typed differentDomainName\aUserName for Login name in the "Connect to Server" dialog box of SSMS 2012.
Additional Information: The JDBC connection will be established within a application running on Linux. So, running the application using runas is not an option unfortunately.
Another attempt:
I've also tried to use jTDS 1.3.1 with the following connection string:
jdbc:jtds:sqlserver://anIpAddress:1433;databaseName=MAIN;domain=differentDomainName;user=aUserName;password=pass
since aUserName is set up only for Windows authentication. Unfortunately, this produces the following exception:
o.a.tomcat.jdbc.pool.ConnectionPool : Unable to create initial connections of pool.
Followed by
java.sql.SQLException: I/O Error: DB server closed connection.
Permission information: I'm unable to modify anything on the SQL Server machine including any configuration within SQL Server. The "aUserName" account maps to a SQL Server read only Windows authentication only user.
When you connect with MS JDBC driver, you don't specify the password for the user (at least not in the connection string you provided). If your intention was to use integrated security, you should indicate this in the connection string, but then you process has to be authenticated already for differentDomainName\aUserName
Integrated security & JDBC:
https://msdn.microsoft.com/en-us/library/ms378428%28v=sql.110%29.aspx?f=255&MSPPError=-2147217396#Connectingintegrated
Since your plan is to access SQL server from linux, I doubt that you could make integrated security work for that scenario, so you should plan to provide the password in the connection string. I'm not sure if you can provide username/password for a domain user in the connection string (I think you can), but if you switch to a user with SQL server auth, it will certainly work. This should be a fallback option, as SQL server auth is less secure.
I have two SQL Servers : one in Dijon, France; one in Arvada, Colorado, US. A data replication has been set up between them.
Everything works fine when users try to connect to SQL Server 2008 R2 Dijon database.
BUT an error occurs when one of my users is trying to connect to SQL Server 2012 US database from a VB.Net application.
The error is :
"A connection was successfully established with the server, but then an error occurred during the login process (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.)"
This error shows up only for one user. The others can connect without any issue. I have maybe a clue about this. We already encountered connection issues for him, because he belonged to many AD security groups.
Here is the connection string :
Data Source=server\instance;Initial Catalog=db;Integrated Security=SSPI;Connection Timeout=0;
We have the same issue for a US user trying to connect to the same server. But not when he tries to connect to Dijon. Do you have any clue that could help me resolving this issue please ?
I checked StackOverflow threads and other solutions from the web, but nothing helped me...
Refer following URLs
Troubleshooting: Connection Forcibly Closed
TCP Provider, error:
connection was forcibly closed
Follow these steps
First goto services and check whether 'SQL Server Browser' service is started, if not start the service.
Open SQL Server Configuration Manager
Goto Protocols for MSSQLSERVER
Enable all protocols
Goto SQL Native Client
Select Client Protocols and and Enable All
Restart the SQL Server services.
Use .. (.NET Framework Data Provider for SQL Server) as provider
Connectionstring
Data Source=server\instance;Initial Catalog=;Persist Security Info=True;User ID=;Password=;Network Library=dbmssocn
It was, as I expected, a problem of Kerberos authentication because my user has too many AD security groups...
The solution is explained here : Problems with Kerberos authentication when a user belongs to many groups and here MaxTokenSize and Windows 8 and Windows Server 2012
If the authorization data for a user attempting to authenticate is larger than the MaxTokenSize, then the authentication fails for that connection using that protocol.
On Windows 7 and Windows Server 2008R2 , the MaxTokenSize (the default buffer size for Kerberos) is 12k. Its size has been increased in Windows 8 and Windows Server 2012 to 48k. It wasn't enough for my case.
I had to add a key in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize (REG_DWORD type to the decimal value 65535).
Then I rebooted the server.
My user can now access data without error.
I'm having to support multiple database types for my tenant-enabled web application. Among others, I have successfully supported Microsoft's SQL Server, by using the net.sourceforge.jtds.jdbc.Driver class with a connection String like "jdbc:jtds:sqlserver://192.168.1.189:1433/ApplicationName". This works, but it requires that the user explicitly defines a user in the SQL Server instance and enables SQL Server authentication.
Now, inevitably, requirements changed, and we're supposed to support connecting to SQL Server via Windows Authentication. Evidently this requires some sort of change to the connection string, since the data base server must somehow be able to distinguish whether the credentials passed into the data base connection are for a user defined in the SQL Server installation or in the Windows OS. But what is it?
Acting on advice from the internet, if progressed as far as extending the connection string with ;useNTLMv2=true;domain=WORKGROUP. That seems to make the data base server aware that I want to authenticate as a Windows user, but the actual log-in fails with
The login is from an untrusted domain and cannot be used with Windows authentication. (code 18452, state 28000)
Now im my testing set-up, both the J2EE app and the SQL server instance are in fact on the same machine (although in production they may not be), and still this computer isn't trusted enough to log on to itself? Evidently I'm missing a big part of the puzzle here. What does one have to do to convince an SQL Server instance that the user who started it can in fact log on to it via JDBC?
Edit
Since we have already sunk too much unsuccessful effort trying to integrate our web application with a full Microsoft infrastructure stack (SQL Server, Active Directory, Domain Name Service...), I have to restrict this question:
Does anyone know a way to access an SQL Server installation with a user account defined as a "Windows User" via JDBC form a J2EE application, without having to use Active Directory, a Windows machine running the web application and a proprietary DLL? The bounty is for any solution of that sub-problem. The entire problem is clearly too broad to be answered in one forum post.
I ran into the error
The login is from an untrusted domain and cannot be used with Windows
authentication
when a 2012 SQL Server DB instance was recently upgraded to 2016. In order to use AD based authentication with the JTDS driver and SQL Server 2016, it seems necessary to specify both the useNTLMv2=true and the domain=example.com suffix in order to establish a connection. The name of the domain is absolutely necessary and I confirmed that through testing. This is with JTDS driver version 1.3.1.
Example of a working connection string using AD based authentication to SQL Server 2016 DB with JTDS 1.3.1:
jdbc:jtds:sqlserver://sqlserver2016db.example.com/MY_DB_NAME;domain=example.com;prepareSQL=2;useNTLMv2=true
UPDATE
Recently (due to the pandemic lockdown), I found myself also having to connect to SQL Server using Windows authentication from a non-domain computer (over VPN). This can be accomplished by starting the Windows process initiating the SQL Server connection, e.g. Eclipse / Spring Tool Suite, with the following command:
C:\Windows\System32\runas.exe /netonly /user:domain\user "path_to_executable.exe"
Source: https://www.mssqltips.com/sqlservertip/3250/connect-to-sql-servers-in-another-domain-using-windows-authentication/
In discovering that gem, I also discovered that encryption needed to be used. Here are the settings I'm using (in addition to now running the executable with /netonly and a domain account):
spring.datasource.url=jdbc:jtds:sqlserver://fqdn_of_server_including_domain/DBNAME;domain=mydomain;useNTLMv2=true;ssl=require;prepareSQL=2;
spring.datasource.username=domainaccountname_without_domain_prefix
spring.datasource.password=password
spring.datasource.testOnBorrow=true
spring.datasource.hikari.connection-test-query=SELECT 1
spring.jpa.database-platform=org.hibernate.dialect.SQLServerDialect
What you describe certainly appears to be feasible. I have SQL Server 2008 R2 Express running on a stand-alone server and I was able to connect using a Windows username/password on that server via jTDS 1.3.1 from a separate Windows machine and from an Xubuntu 14.04 box.
On the machine running SQL Server I created a Windows user named 'kilian'. In SQL Server itself I created a SQL Login for NT AUTHORITY\Authenticated Users. Then in the database (named 'myDb') I created a User named 'AuthenticatedUsers' for that SQL Login. Just to keep things simple I gave that user db_owner rights on the database.
There is no SQL Login for 'kilian' and no database User with that name.
Then, from the other two machines (the Windows workstation and the Xubuntu box) I just ran this:
package com.example.jtdstest;
import java.sql.*;
public class JtdsTestMain {
public static void main(String[] args) {
try (Connection con = DriverManager.getConnection(
"jdbc:jtds:sqlserver://192.168.1.137:52865/myDb" +
";domain=whatever",
"kilian",
"4theBounty")) {
try (Statement s = con.createStatement()) {
String sql = "SELECT LastName FROM Clients WHERE ID=1";
try (ResultSet rs = s.executeQuery(sql)) {
rs.next();
System.out.println(rs.getString("LastName"));
}
}
} catch (Exception e) {
e.printStackTrace(System.out);
}
}
}
Additional notes:
I did not have to include useNTLMv2=true. I was able to connect with or without that parameter.
I did have to include domain= to tell the SQL Server not to use SQL authentication, but the actual value I supplied made no difference. (I literally used 'whatever', which was not the name of the server or the name of the workgroup to which it belongs.)
Alternative Method
The alternative solution is to utilize integrated security. This enables your application to connect to the database as the user in which the application is currently running as. This is enabled by adding integratedSecurity=true; into the connection string properties. If you run into any trouble, make sure the sqljdbc_auth.dll is accessible via classpath or within your app library.
Security Note
You're probably already aware, but just have to say make sure not to grant access to "Authenticated Users" to your database as previously suggested as part of the demonstration. Identify which user account your application runs as and grant access to only that specific user in your database server.
Sources / Additional Info
MSDN Doc on JDBC Connection String Configuration (http://technet.microsoft.com/en-us/library/ms378428(v=sql.110).aspx)
The main problem is the windows authentication with a full java solution (no DLL). So you could use one of the libs below:
NTLM authentication: http://ioplex.com/jespa.html
spring based Kerberos authentication: http://projects.spring.io/spring-security-kerberos/
another integrated windows auth lib is SPNEGO (don't know much about this one)
So once your app is authenticated with one of the lib above, your JDBC should run fine using "integratedSecurity=true;" and if needed "authenticationScheme=JavaKerberos".
Firstly you should write the jdbc connection like this:
String url ="jdbc:sqlserver://PC01\inst01;databaseName=DB01;integratedSecurity=true";
then
you need to enable the SQL Server TCP/IP Protocol in Sql Server Configuration Manager app. You can see the protocol in SQL Server Network Configuration.
I can see two possibilities,
1. You are using a local system account which the server won't understand
In this case, switch to a domain account.
Windows authentication has different credential requirements and you might not be meeting those.
In this case try changing the password to match the requirements.
It is very well possible that both are happening.
see this other SO post that describes how to connect to a SQL Server with Windows Authentication from a Linux machine through JDBC
This is my NiFi setup for jTDS driver:
Database Connection URL: jdbc:jtds:sqlserver://192.168.1.189:1433;DOMAIN=domain_name
I didn't need to add useNTLMv2=true, but most people need to, so if it doesn't work you can try also:
jdbc:jtds:sqlserver://192.168.1.189:1433;DOMAIN=domain_name;useNTLMv2=true
Database Driver Class Name: net.sourceforge.jtds.jdbc.Driver
Database User: domain_user_name (**without** #domain)
Password: domain_password
Validation query: select 1
One of the possible reasons for this error to appear is when you configure you data source to use windows authentication and SQL Server is using Extended Protection mode together with SSL (i'm not sure if SSL is required though). This mode requires the client to send additional information - signed service principal name (SPN) and channel binding token (CBT). See more information about Extended Protection Mode here. Currently both JTDS JDBC and Microsoft JDBC drivers do not support this mode. I couldn't find an official statement from JTDS, but there is an open ticket for Microsoft drivers.
In order to configure Extended Protection mode, go to SQL Server Configuration Manager, select properties on SQL Server Network Configuration -> Protocols for %your instance% and change Extended Protection option.
We have a .NET 3.5 Web Service (not WCF) running under IIS. It must use identity impersonate="true" and Integrated Windows authentication in order to authenticate to third-party software. In addition, it connects to a SQL Server database using ADO.NET and SQL Server Authentication (specifying a fixed User ID and Password in the connection string).
Everything worked fine until the database was moved from SQL Server A to SQL Server B. (Neither was the same as the web server.) Then the Web Service would throw the following exception:
A network-related or
instance-specific error occurred while
establishing a connection to SQL
Server. The server was not found or
was not accessible. Verify that the
instance name is correct and that SQL
Server is configured to allow remote
connections. (provider: Named Pipes
Provider, error: 40 - Could not open a
connection to SQL Server)
This error only occurs if identity impersonate is true in the Web.config.
Again, the connection string hasn't changed and it specifies the user. I have tested the connection string and it works, both under the impersonated account and under the service account (and from both the remote machine and the server).
What needs to be changed to get this to work with impersonation?
EDIT:
Remus Rusanu pointed us in the right direction. It came down to Kerberos - the SPNs weren't set up for the new server. See also asp.net via kerberos integrated windows authentication to sql server. Thank you!
When using impersonation and accessing a resource on a different host, delegation occurs (what the laymen call 'two hops'). Since delegation is restricted by default, authentication fails, unless constrained delegation is explicitly enabled.
But wait, you says, I use SQL Authentication and SQL authentication is not an NTLM/Kerberos 'resource'. True, says I, but you also use NAMED PIPES and named pipes are an NTLM/Kerberos resource, therefore delegation does occur.
See How to: Configure Client Protocols to make sure SQL Server is listening on TCP and Configuring Client Network Protocols for how to force the client to choose a specific protocol (ie. not try named pipe first). You can also force TCP by simply appending tcp: in front of the server name in the connection string.
are you using impersonation in the web service itself?
Impersonation in web services operates on a different layer than IIS does. To get from client to web service, you can have identity=impersonate off and get the user token from ServiceSecurityContext, even with Anonymous mode on.
To impersonate that token in the web service, get the WindowsCredential from ServiceSecurityContext and call the credential.Impersonate() method in a using statement, placing your connection to the database inside the using block.
public class HelloService : IHelloService
{
[OperationBehavior]
public string Hello(string message)
{
WindowsIdentity callerWindowsIdentity =
ServiceSecurityContext.Current.WindowsIdentity;
if (callerWindowsIdentity == null)
{
throw new InvalidOperationException
("The caller cannot be mapped to a WindowsIdentity");
}
using (callerWindowsIdentity.Impersonate())
{
// Access a file as the caller.
}
return "Hello";
}
}
Also, if you need another leg in the process (i.e. the back-end service is on another server), you will need to use Delegation to propagate the credentials. You may also do this declaratively. See this article for full details: http://msdn.microsoft.com/en-us/library/ms730088.aspx
Since it worked when the SQL Server was on the same box, it could be connected to transactions.
It may be that it is trying to use the the MSDTC, and the impersonated users are lacking some rights.
Another thing that you could try is to log on to the web server with a user that you are trying to impersonate, and see if you can then connect to the sql server.
If Delegation is your problem, see this article for enabling constrained delegation
http://msdn.microsoft.com/en-us/library/ms730088.aspx
go to the very bottom to see how to set up an account for constrained delegation. I know its a WCF article, but the process for setting up an account to use delegation should be the same.
for even more details, go here
http://technet.microsoft.com/en-us/library/cc739587(WS.10).aspx
Alternatively, have your SQL server enable TCP access and access it that way, as Remus explained.