Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AD authentication not working (kubernetes) #876

Open
JFD01 opened this issue Apr 26, 2024 · 6 comments
Open

AD authentication not working (kubernetes) #876

JFD01 opened this issue Apr 26, 2024 · 6 comments

Comments

@JFD01
Copy link

JFD01 commented Apr 26, 2024
edited
Loading

Hello,

Versions tested : 2019-latest and 2022-latest (rhel).

AD login creation works using 'sa' connection.
But I can't get AD authentication to work, I have this error message :

Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. (Microsoft SQL Server, Error : 18452)
SSPI handshake failed with error code 0x8009030e, state 14 while establishing a connection with integrated security the connection has been closed. Reason : AcceptSecurityContext failed. The operating system error code indicates the cause of failure. No credentials are available in the security package.

The connection is tried remotely from SSMS 17 (Management Studio) using AD account.

PAL log from kubernetes container :

04/26/2024 08:05:06.266383154 Debug [security.kerberos] <0000008449/0x00000524> Processing SSPI operation 0x00000002
04/26/2024 08:05:06.267669624 Error [security.kerberos] <0000008449/0x00000524> GSS MAJOR: 458752 GSS MINOR: 100001 Error from accept_sec_context
04/26/2024 08:05:06.267685207 Error [security.kerberos] <0000008449/0x00000524> No credentials were supplied, or the credentials were unavailable or inaccessible
04/26/2024 08:05:06.267690889 Error [security.kerberos] <0000008449/0x00000524> SPNEGO cannot find mechanisms to negotiate
04/26/2024 08:05:06.267752081 Info [security.kerberos] <0000008449/0x00000524> Created temporary ccache [MEMORY:I8Ze7mj] for principal [[email protected]].
04/26/2024 08:05:06.267761163 Warning [security.kerberos] <0000008449/0x00000524> GSS MAJOR: 17235968 GSS MINOR: 0 Error in StoreGssCredential in AutoCCache's constructor
04/26/2024 08:05:06.267766506 Warning [security.kerberos] <0000008449/0x00000524> A required input parameter could not be read
04/26/2024 08:05:06.267770795 Warning [security.kerberos] <0000008449/0x00000524> No credentials were supplied, or the credentials were unavailable or inaccessible
04/26/2024 08:05:06.267774823 Warning [security.kerberos] <0000008449/0x00000524> Unknown error
04/26/2024 08:05:06.267782833 Info [security.kerberos] <0000008449/0x00000524> Created temporary ccache [MEMORY:8OBihpF] for principal [[email protected]].
04/26/2024 08:05:06.267876465 Error [security.kerberos] <0000008449/0x00000524> GSS MAJOR: 458752 GSS MINOR: 39756044 Error in GetDefaultGssCredential in AutoCCache copy constructor
04/26/2024 08:05:06.267881901 Error [security.kerberos] <0000008449/0x00000524> No credentials were supplied, or the credentials were unavailable or inaccessible
04/26/2024 08:05:06.267886360 Error [security.kerberos] <0000008449/0x00000524> Credential cache is empty
04/26/2024 08:05:06.267890354 Error [security.kerberos] <0000008449/0x00000524> Failed to allocate memory for new ccache or could not duplicate ccache in KrbCredentialCacheManager::StoreCred
04/26/2024 08:05:06.267895965 Debug [security.kerberos] <0000008449/0x00000524> Authentication protocol via GSSAPI is complete, now attempting to lookup identity of initiator
04/26/2024 08:05:06.267900064 Error [security.kerberos] <0000008449/0x00000524> Invalid parameters passed to GetIdentityForContext
04/26/2024 08:05:06.267904179 Error [security.kerberos] <0000008449/0x00000524> Error in AcceptSecurityContext: Failed to lookup identity of initiator
04/26/2024 08:05:06.267911411 Debug [security.kerberos] <0000008449/0x00000524> SSPI operation 0x00000002 returned status: [Status: 0x0 Success errno = 0x0(0) Success]
04/26/2024 08:05:06.267961529 Debug [security.kerberos.libos] <0000008558/0x0000061c> AcceptSecurityContext() return value: 0x8009030e

Did anyone experience this ?
Any help would be greatly appreciated ...
@JFD01
Copy link
Author

JFD01 commented Apr 26, 2024

keytab works from container host, encryption used : aes128 & aes256

@JFD01 JFD01 changed the title AD authentication not working AD authentication not working (kubernetes) Apr 29, 2024
@tkammerlander
Copy link

tkammerlander commented Apr 30, 2024
edited
Loading

Take a look at #871.
We had EXACTLY the same error message as you in the security.log file.
After downgrading the Image to C9 it just worked without any changes.
dude we had been debugging all the kerberos, ldap and all the reverse dns shit for weeks now :-)

@JFD01
Copy link
Author

JFD01 commented May 2, 2024

Thank you so much @tkammerlander !

I had a look on #871 about CU9 before opening this issue as I tested CU9 rhel image (I'm used to test with rhel images) and AD authentication still was not working ...

I just tested with ubuntu image of CU9 and AD authentication WORKS !!!

@tkammerlander
Copy link

yeah so cool to have a working version after all.
we played around with the images a bit and it doesnt seem to be the SQL CU's bricking it but rather
the os images. ubuntu 20.04 with a higher CU still works. maybe you can find a working rhel version too but
yeah maybe a older rhel vesrion.

@tkammerlander
Copy link

did you get it to work with docker compose or directly with a docker run command? because we seem to have problems with getting it to work with docker compse (portainer) too.

thx, regards

tom

@JFD01
Copy link
Author

JFD01 commented May 2, 2024

I'm using kubernetes (statefulset yaml configuration)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tkammerlander @JFD01