runtime: Integrated authentication failing when attempting to connect to SQL Server from macOS Sierra

This issue is originally discussed here.

Following the Kerberos Setup Instructions. Steps 1 through 3 work perfectly. However, when attempting step 4 I get the following:

mssql: Failed to connect: Cannot access Kerberos ticket. Ensure Kerberos has been initialized with 'kinit'.

[3:36:58 PM] Error connecting to server "[ServerName]". Details: Cannot access Kerberos ticket. Ensure Kerberos has been initialized with 'kinit'.
ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error -  An unsupported mechanism was requested (unknown mech-code 0 for mech unknown).
   at System.Net.Security.NegotiateStreamPal.GssInitSecurityContext(SafeGssContextHandle& context, SafeGssCredHandle credential, Boolean isNtlm, SafeGssNameHandle targetName, GssFlags inFlags, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags, Int32& isNtlmUsed)
   at System.Net.Security.NegotiateStreamPal.EstablishSecurityContext(SafeFreeNegoCredentials credential, SafeDeleteContext& context, String targetName, ContextFlagsPal inFlags, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, ContextFlagsPal& outFlags)
   at System.Data.SqlClient.SNI.SNIProxy.GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, Byte[] receivedBuff, Byte[]& sendBuff, Byte[] serverName)
   at System.Data.SqlClient.SNI.TdsParserStateObjectManaged.GenerateSspiClientContext(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength, Byte[] _sniSpnBuffer)
   at System.Data.SqlClient.TdsParser.SNISSPIData(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength)

Per @kevcunnane request, I’m submitting an issue here.

The only other thing I’ve noticed since the other issue, is that if I run the klist command without first running the kinit command I have several other entries:

Credentials cache: API:ED70540F-329F-44FB-9C08-059260828BBB
        Principal: me@DOMAIN.COMPANY.COM

  Issued                Expires               Principal
Jul 19 22:31:24 2017  Jul 20 08:31:24 2017  krbtgt/DOMIAN.COMPANY.COM@DOMIAN.COMPANY.COM
Jul 19 22:31:41 2017  Jul 20 08:31:24 2017  host/COMPANYSERVER.DOMIAN.COMPANY.COM@DOMIAN.COMPANY.COM
Jul 19 22:31:41 2017  Jul 20 08:31:24 2017  HTTP/COMPANYSERVER.DOMIAN.COMPANY.COM@DOMIAN.COMPANY.COM

We do use the Jamf Casper Suite to manage our Macs, and I’m assuming that’s what those other entries are from.

Finally, I also setup a .Net Core Console app to see if integrated security would run from there, following along the same lines as this issue and I received the same exception as the one the VS Code is giving me with the mssql extension.

macOS 10.12.5 dotnet 2.0.0-preview2-006497

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 3
  • Comments: 17

Most upvoted comments

@carlowahlstedt Could you confirm that you use Fully Qualified Domain Name for SQL Server SPN? The error is thrown from this code part (line# 139) : https://github.com/dotnet/corefx/blob/dcc29528c9c4633e81b1937e7dd9fde7115a938c/src/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs#L122-L144 https://github.com/dotnet/corefx/blob/dcc29528c9c4633e81b1937e7dd9fde7115a938c/src/System.Net.Security/src/Resources/Strings.resx#L334-L336

  • status: An unsupported mechanism was requested
  • minorStatus: unknown mech-code 0 for mech unknown

We need to get information from System.Net.Security team under what condition that status / minorStatus message we get.

+1
geleems on Sep 22, 2017
Read more comments on GitHub
← runtime: InstanceDataCollection_* failures in CI
runtime: Interlocked.CompareExchange missing for uint, ulong and (if possible) general structs. →