azuredatastudio icon indicating copy to clipboard operation
azuredatastudio copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Cannot use Kerberos Authentication over a tunnel from Linux as SPN is being generated wrong ( no ServerSPN override support )

Open twiggy opened this issue 6 months ago • 3 comments

  • Azure Data Studio Version: 1.49.1
  • OS Version: Linux krb5-user/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.4 amd64 [installed]

Steps to Reproduce:

  1. use an ssh tunnel to connect to sql server such as ssh -L 1433:SQL01.NOTREAL.NET:1433 user@mybastion 1a. Note that SQL01.NOTREAL.NET might just be an IP address since DNS resolution may not be possible.
  2. Connect to SQL Server from Azure data studio using window authentication.
  3. setup krb5.conf and test via kinit and use knvo to verify that your SQLs SPN is all good to go. This is pretty involved so will leave out, but assume SQL SPN is good.
  4. Add an entry to you hosts file so that SQL01.NOTREAL.NET
  5. Use KRB5_TRACE to get detailed output. ex. KRB5_TRACE=./krb5_trace.log azuredatastudio --log trace --verbose
  6. Connect with a connection string such as Server=tcp:SQL01.NOTREAL.NET:1433;Trusted_Connection=True;TrustServerCertificate=True;ServerSpn=MSSQLSvc/[email protected]

It appears that in krb5_trace.log requests are made like [631642] 1723839764.552605: Requesting tickets for MSSQLSvc/localhost:[email protected], referrals on

It seems like something is reversing the SQL01.NOTREAL.NET into localhost.

I've tried rdns=false in my krb5.conf, but it doesn't seem to do anything. It's possible that KRB5 is the one doing this. Since kvno works with kvno MSSQLSvc/sql01.notreal.net:1433 it makes me think its not krb5...

This is all complicated when adding ports. I would think the easiest thing would be for Azure Data Studio to honor ServerSPN= on the connection string vs trying to do a reverse DNS lookup and not bother building the SPN which could be off when not using 1433.

Of course I could be missing something on the connection string to make it all work. I've seen many examples for JDBC driver using SeverSPN=, but not a lot for .NET, etc.

There error you get from Azure is below and kind of leads you down the SQL missing SPN route, thankful for KRB5_TRACE

ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database).

Thank you for time and effort.

Does this issue occur when all extensions are disabled?: Yes

twiggy avatar Aug 16 '24 20:08 twiggy