SqlClient: Kerberos authentication doesn't work with NuGet package 2.1.0
Can’t authenticate with SQL Server 2014 using new 2.1.0. Switching back to 1.1.3 works.
Exception:
Cannot authenticate using Kerberos. Ensure Kerberos has been initialized on the client with 'kinit' and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.
ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database).
at System.Net.Security.NegotiateStreamPal.GssInitSecurityContext(SafeGssContextHandle& context, SafeGssCredHandle credential, Boolean isNtlm, SafeGssNameHandle targetName, GssFlags inFlags, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags, Int32& isNtlmUsed)
at System.Net.Security.NegotiateStreamPal.EstablishSecurityContext(SafeFreeNegoCredentials credential, SafeDeleteContext& context, String targetName, ContextFlagsPal inFlags, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, ContextFlagsPal& outFlags)
at Microsoft.Data.SqlClient.SNI.SNIProxy.GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, Byte[] receivedBuff, Byte[]& sendBuff, Byte[] serverName)
at Microsoft.Data.SqlClient.SNI.TdsParserStateObjectManaged.GenerateSspiClientContext(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength, Byte[] _sniSpnBuffer)
at Microsoft.Data.SqlClient.TdsParser.SNISSPIData(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength)
Image configuration:
FROM mcr.microsoft.com/dotnet/aspnet:5.0.0-buster-slim AS base
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf && \
sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /etc/ssl/openssl.cnf && \
sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf && \
sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /usr/lib/ssl/openssl.cnf
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 35
- Comments: 15 (8 by maintainers)
Commits related to this issue
- Upgrade Microsoft.Data.SqlClient to 2.1.1 Fixes #710 See also https://github.com/dotnet/SqlClient/issues/825 — committed to gr-liam/AspNetCore.Diagnostics.HealthChecks by gr-liam 3 years ago
- Upgrade Microsoft.Data.SqlClient to 2.1.1 Fixes #710 See also https://github.com/dotnet/SqlClient/issues/825 — committed to AdamHawkinsa/AspNetCore.Diagnostics.HealthChecks by gr-liam 3 years ago
Same problem (Except using TLSv1.0), regression in 2.1.0
@karinazhou to izolate the issue even more it was introduced between
preview1andpreview2. Your PR#629 is before that. My guess is src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlSecurityUtility.cs from #699 whereaes256-ctswas removed. This is exactly the cipher I use in myservice.keytab.@karinazhou I can confirm, that your patch is working.
@mashbrno Could you try this nuget package to see if it fixes your issue? I test it locally and it works for me.
Nuget.zip
@karinazhou Of course I didn’t share my Active Directory neither whole SQL server with it. Feel free to generate your valid credentials with this commands:
You will also need to modify
krb5.confto match your setup.@mashbrno I tried with your sample app on my side but I got the
Server not found or not accessibleexception with SqlClient 2.0.1. I look into the launch.sh and execute the first line. It looks like the key tab file is missing in my docker container. Did I miss some configuration?