I have a windows authentication user created on SQL server. I am trying to connect SQL server using that user, but I am getting java.sql.SQLException: The login is from an untrusted domain and cannot be used with Integrated authentication. error.
I am using jtds-1.3.jar. My connection url is jdbc:jtds:sqlserver://xyz.net:1433;instance=dev;databaseName=XYZ;integratedSecurity=true;useNTLMv2=true;domain=XYZ.net
I have checked the connection and traffic is allowed between my client machine and server. I tried setting intgratedSecurity= false as suggested in other answers but that did not work.
What properties of user should I check to know that user is correctly configured on SQL sever for JDBC connectivity?
Finally, got this connection working. It turns out the best way to connect to SQL server using jTDS driver is to create SQL server user avoid creating windows user. And stick to SQL server based user.
The message The login is from an untrusted domain and cannot be used with Integrated authentication can be misleading. For example you can get it by entering the right username with the wrong password.
Without knowing the exact configuration of your SQL server is difficult to say but I would try with a simpler connection string:
jdbc:jtds:sqlserver://xyz.net:1433;databaseName=XYZ
I don't use jTDS directly but the version embedded inside Aqua Data Studio and we don't use named instances but, anyway, I provide the configuration I use with freeTDS in a Linux box as an example of a simple configuration that works perfectly against an cluster instance of SQL Server 2014.
In /etc/freetds/freetds.conf:
[conn1]
host = host.dom.ain
port = 1433
tds version = 7.4
Query from the command line using tsql:
/usr/bin/tsql -S conn1 -U DOMAIN\\USER << SQL_DATA
SELECT getdate();
GO
QUIT
SQL_DATA
Password:
locale is "es_ES.utf8"
locale charset is "UTF-8"
using default charset "UTF-8"
1> 2>
11-11-2022 01:26
(1 row affected)
I searched through all threads on the web available, but none could help me.
I am trying to connect to SQL Server engine from SQL Developer. In order to do that I enabled Named Pipes and TCP/IP from SQL Configuration Manager.
Then I tried different drivers:
I tried Microsoft JDBC driver for SQL Server - I cannot choose in connection manager SQL Server database type, so it does not work..
I tried jTDS driver instead, and it worked - I can choose SQL Server database type, but then all I get is an error informing that it cannot connect to Microsoft SQL Server on localhost (I tried localhost, name of my computer, none of which worked).
Is there anything more I can do?
EDIT
This is what I have so far:
SECOND EDIT
I had more problems:
With error saying
Status: Failur-I/O Error: SSO Failed: Native SSPI library not loaded. Check the java.library.path system property
Using windows authentication, I still got asked for username and password.
(All details and solutions in my answer below)
We only support the jTDS driver for SQL Server and Sybase ASE connections, so that's the way to go.
After that, it's up to you to get a correct connection string to your SQL Server system.
Make sure you have the right port in addition to your 'localhost' network location for your SQL Server instance.
This is using version 19.1 of SQL Developer to connect to a SQL2012 instance overseas..
Actually there were more problems, which I'll post here along with solutions:
In order to ba able to connect SQL Server database type from SQL developer it is needed to install jTDS driver, as already mentioned. Other types are not supported by SQL Developer.
Next thing was to configure with SQL Configuration Manager (the easiest way IMO) SQL Server to listen on IP port 1433, not dynamic, as was previously set. In order to do that in configuration manager I had to go to SQL Server Network Configuration and make appropriate changes. More here.
Next I had problem:
Status: Failur-I/O Error: SSO Failed: Native SSPI library not loaded. Check the java.library.path system property
Which was the fault of missing file, solution was placing file ntlmauth.dll to the /jdk/bin in SQL Developer directory.
I chose Windows authentication, which apparently is not supported by jTDS, so I needed to create user in SQL Server, which I use to connect SQL Server from SQL Developer.
After all that, I had it working.
From Windows using SQL Server Management Studio (SSMS), I can only connect to a SQL Server on a different domain as follows:
C:\> runas /netonly /user:differentDomainName\aUserName "C:\Program Files (x86
)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe -S anIpAddress"
How can I accomplish this connection via JDBC? I've tried using the following connection string with Microsoft's sqljdbc 4.2 driver:
jdbc:sqlserver://anIpAddress:1433;database=MAIN;user=differentDomainName\\aUserName;password=pass
I receive the following error:
com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'differentDomainName\aUserName'
This is the same error that I receive if I start SSMS without using runas and typed differentDomainName\aUserName for Login name in the "Connect to Server" dialog box of SSMS 2012.
Additional Information: The JDBC connection will be established within a application running on Linux. So, running the application using runas is not an option unfortunately.
Another attempt:
I've also tried to use jTDS 1.3.1 with the following connection string:
jdbc:jtds:sqlserver://anIpAddress:1433;databaseName=MAIN;domain=differentDomainName;user=aUserName;password=pass
since aUserName is set up only for Windows authentication. Unfortunately, this produces the following exception:
o.a.tomcat.jdbc.pool.ConnectionPool : Unable to create initial connections of pool.
Followed by
java.sql.SQLException: I/O Error: DB server closed connection.
Permission information: I'm unable to modify anything on the SQL Server machine including any configuration within SQL Server. The "aUserName" account maps to a SQL Server read only Windows authentication only user.
When you connect with MS JDBC driver, you don't specify the password for the user (at least not in the connection string you provided). If your intention was to use integrated security, you should indicate this in the connection string, but then you process has to be authenticated already for differentDomainName\aUserName
Integrated security & JDBC:
https://msdn.microsoft.com/en-us/library/ms378428%28v=sql.110%29.aspx?f=255&MSPPError=-2147217396#Connectingintegrated
Since your plan is to access SQL server from linux, I doubt that you could make integrated security work for that scenario, so you should plan to provide the password in the connection string. I'm not sure if you can provide username/password for a domain user in the connection string (I think you can), but if you switch to a user with SQL server auth, it will certainly work. This should be a fallback option, as SQL server auth is less secure.
I would like to ask someone who already tried to connect to SQL database from soapUI opensource version.
I have a test step JDBC request where I try to test and connect to my sql database. I use opensource version of soapUI. I read how it should be set up but still experience some problems.
This is what I do:
I installed java 8 and jdbc driver version 4.1. Added jdbc jar file to SoapUi/jre/bin folder as it is said in documentation for soapUI. This version of driver should work with Java 8.
Then in Driver field I write
com.microsoft.sqlserver.jdbc.SQLServerDriver
In connection string:
jdbc:sqlserver://Sservername:portnumber;databaseName=Consumption;username=alyona.kovalyova;password=mypassword
I get error saying
Can't get the Connection for specified properties; com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'alyona.kovalyova'. ClientConnectionId...
I use my domain account because in our company the policy does not allow us to use database user. Because of this I tried to add integratedSecurity parameter to the string which should allow to login with windows account like this:
jdbc:sqlserver://S23-AS:1433;databaseName=Consumption;integratedSecurity=true
I also get error:
Can't get the Connection for specified properties; com.microsoft.sqlserver.jdbc.SQLServerException: This driver is not configured for integrated authentication. ClientConnectionId..
Does anyone encountered the same issue before? Could you give some recommendation?
For integrated authentication to work you'll need sqljdbc_auth.dll matching your environment (32bit / 64bit) in your library path (putting it in bin as well might help already)
I'm having to support multiple database types for my tenant-enabled web application. Among others, I have successfully supported Microsoft's SQL Server, by using the net.sourceforge.jtds.jdbc.Driver class with a connection String like "jdbc:jtds:sqlserver://192.168.1.189:1433/ApplicationName". This works, but it requires that the user explicitly defines a user in the SQL Server instance and enables SQL Server authentication.
Now, inevitably, requirements changed, and we're supposed to support connecting to SQL Server via Windows Authentication. Evidently this requires some sort of change to the connection string, since the data base server must somehow be able to distinguish whether the credentials passed into the data base connection are for a user defined in the SQL Server installation or in the Windows OS. But what is it?
Acting on advice from the internet, if progressed as far as extending the connection string with ;useNTLMv2=true;domain=WORKGROUP. That seems to make the data base server aware that I want to authenticate as a Windows user, but the actual log-in fails with
The login is from an untrusted domain and cannot be used with Windows authentication. (code 18452, state 28000)
Now im my testing set-up, both the J2EE app and the SQL server instance are in fact on the same machine (although in production they may not be), and still this computer isn't trusted enough to log on to itself? Evidently I'm missing a big part of the puzzle here. What does one have to do to convince an SQL Server instance that the user who started it can in fact log on to it via JDBC?
Edit
Since we have already sunk too much unsuccessful effort trying to integrate our web application with a full Microsoft infrastructure stack (SQL Server, Active Directory, Domain Name Service...), I have to restrict this question:
Does anyone know a way to access an SQL Server installation with a user account defined as a "Windows User" via JDBC form a J2EE application, without having to use Active Directory, a Windows machine running the web application and a proprietary DLL? The bounty is for any solution of that sub-problem. The entire problem is clearly too broad to be answered in one forum post.
I ran into the error
The login is from an untrusted domain and cannot be used with Windows
authentication
when a 2012 SQL Server DB instance was recently upgraded to 2016. In order to use AD based authentication with the JTDS driver and SQL Server 2016, it seems necessary to specify both the useNTLMv2=true and the domain=example.com suffix in order to establish a connection. The name of the domain is absolutely necessary and I confirmed that through testing. This is with JTDS driver version 1.3.1.
Example of a working connection string using AD based authentication to SQL Server 2016 DB with JTDS 1.3.1:
jdbc:jtds:sqlserver://sqlserver2016db.example.com/MY_DB_NAME;domain=example.com;prepareSQL=2;useNTLMv2=true
UPDATE
Recently (due to the pandemic lockdown), I found myself also having to connect to SQL Server using Windows authentication from a non-domain computer (over VPN). This can be accomplished by starting the Windows process initiating the SQL Server connection, e.g. Eclipse / Spring Tool Suite, with the following command:
C:\Windows\System32\runas.exe /netonly /user:domain\user "path_to_executable.exe"
Source: https://www.mssqltips.com/sqlservertip/3250/connect-to-sql-servers-in-another-domain-using-windows-authentication/
In discovering that gem, I also discovered that encryption needed to be used. Here are the settings I'm using (in addition to now running the executable with /netonly and a domain account):
spring.datasource.url=jdbc:jtds:sqlserver://fqdn_of_server_including_domain/DBNAME;domain=mydomain;useNTLMv2=true;ssl=require;prepareSQL=2;
spring.datasource.username=domainaccountname_without_domain_prefix
spring.datasource.password=password
spring.datasource.testOnBorrow=true
spring.datasource.hikari.connection-test-query=SELECT 1
spring.jpa.database-platform=org.hibernate.dialect.SQLServerDialect
What you describe certainly appears to be feasible. I have SQL Server 2008 R2 Express running on a stand-alone server and I was able to connect using a Windows username/password on that server via jTDS 1.3.1 from a separate Windows machine and from an Xubuntu 14.04 box.
On the machine running SQL Server I created a Windows user named 'kilian'. In SQL Server itself I created a SQL Login for NT AUTHORITY\Authenticated Users. Then in the database (named 'myDb') I created a User named 'AuthenticatedUsers' for that SQL Login. Just to keep things simple I gave that user db_owner rights on the database.
There is no SQL Login for 'kilian' and no database User with that name.
Then, from the other two machines (the Windows workstation and the Xubuntu box) I just ran this:
package com.example.jtdstest;
import java.sql.*;
public class JtdsTestMain {
public static void main(String[] args) {
try (Connection con = DriverManager.getConnection(
"jdbc:jtds:sqlserver://192.168.1.137:52865/myDb" +
";domain=whatever",
"kilian",
"4theBounty")) {
try (Statement s = con.createStatement()) {
String sql = "SELECT LastName FROM Clients WHERE ID=1";
try (ResultSet rs = s.executeQuery(sql)) {
rs.next();
System.out.println(rs.getString("LastName"));
}
}
} catch (Exception e) {
e.printStackTrace(System.out);
}
}
}
Additional notes:
I did not have to include useNTLMv2=true. I was able to connect with or without that parameter.
I did have to include domain= to tell the SQL Server not to use SQL authentication, but the actual value I supplied made no difference. (I literally used 'whatever', which was not the name of the server or the name of the workgroup to which it belongs.)
Alternative Method
The alternative solution is to utilize integrated security. This enables your application to connect to the database as the user in which the application is currently running as. This is enabled by adding integratedSecurity=true; into the connection string properties. If you run into any trouble, make sure the sqljdbc_auth.dll is accessible via classpath or within your app library.
Security Note
You're probably already aware, but just have to say make sure not to grant access to "Authenticated Users" to your database as previously suggested as part of the demonstration. Identify which user account your application runs as and grant access to only that specific user in your database server.
Sources / Additional Info
MSDN Doc on JDBC Connection String Configuration (http://technet.microsoft.com/en-us/library/ms378428(v=sql.110).aspx)
The main problem is the windows authentication with a full java solution (no DLL). So you could use one of the libs below:
NTLM authentication: http://ioplex.com/jespa.html
spring based Kerberos authentication: http://projects.spring.io/spring-security-kerberos/
another integrated windows auth lib is SPNEGO (don't know much about this one)
So once your app is authenticated with one of the lib above, your JDBC should run fine using "integratedSecurity=true;" and if needed "authenticationScheme=JavaKerberos".
Firstly you should write the jdbc connection like this:
String url ="jdbc:sqlserver://PC01\inst01;databaseName=DB01;integratedSecurity=true";
then
you need to enable the SQL Server TCP/IP Protocol in Sql Server Configuration Manager app. You can see the protocol in SQL Server Network Configuration.
I can see two possibilities,
1. You are using a local system account which the server won't understand
In this case, switch to a domain account.
Windows authentication has different credential requirements and you might not be meeting those.
In this case try changing the password to match the requirements.
It is very well possible that both are happening.
see this other SO post that describes how to connect to a SQL Server with Windows Authentication from a Linux machine through JDBC
This is my NiFi setup for jTDS driver:
Database Connection URL: jdbc:jtds:sqlserver://192.168.1.189:1433;DOMAIN=domain_name
I didn't need to add useNTLMv2=true, but most people need to, so if it doesn't work you can try also:
jdbc:jtds:sqlserver://192.168.1.189:1433;DOMAIN=domain_name;useNTLMv2=true
Database Driver Class Name: net.sourceforge.jtds.jdbc.Driver
Database User: domain_user_name (**without** #domain)
Password: domain_password
Validation query: select 1
One of the possible reasons for this error to appear is when you configure you data source to use windows authentication and SQL Server is using Extended Protection mode together with SSL (i'm not sure if SSL is required though). This mode requires the client to send additional information - signed service principal name (SPN) and channel binding token (CBT). See more information about Extended Protection Mode here. Currently both JTDS JDBC and Microsoft JDBC drivers do not support this mode. I couldn't find an official statement from JTDS, but there is an open ticket for Microsoft drivers.
In order to configure Extended Protection mode, go to SQL Server Configuration Manager, select properties on SQL Server Network Configuration -> Protocols for %your instance% and change Extended Protection option.