tedious icon indicating copy to clipboard operation
tedious copied to clipboard
verified publisher icon tediousjs

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication

Open stevegrimshaw opened this issue 6 years ago • 7 comments

Hi, we have had a new issue on our environment where until Saturday the SQL Server in question had no issues from either a single application connecting to its DB or a user connecting to the SQL Server via SQL Mgmt Studio.

Now we are getting the following errors

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed Error: 17806, Severity: 20, State: 14.

the following Can/Cant statements are correct

• Users can log onto the Server using domain credentials. • Users can log into SQL management Studio from the Jump Server using Windows/ Domain credentials. • Users can log into SQL Management Studio from external Servers using Windows/ Domain Credentials. • Using SQL Management Studio you can connect to another SQL Server using Domain/Windows credentials from SQL Server X • Users can RDP from App server X to SQL Server Y using Windows/ Domain • User can Telnet to Port 1433 on Server from the Application server Y

• The application cant now connect to DB/Instance on server App Sever Y • On the application serveruser cant connect via ODBS connection to SQL Server using domain credentials • User cant connect in from another SQL server using SQL Mgmt Studio but can connect out to another SQL server where as before they could.

This has changed over night and as We can connect in from else where its strange that we cant to the SQL server more locally.

stevegrimshaw avatar Dec 03 '19 16:12 stevegrimshaw

If you're unable to connect to your server even with SQL Management Studio, then this sounds like it might be your SQL Server specific issue, and not tedious.

IanChokS avatar Dec 03 '19 17:12 IanChokS

Ian, the confusing thing is we 'can' login to the server via SQL Mgmnt studio from elsewhere just not within the same Domain. We can also login to other SQL Servers from the SQL server in question hinting that that the Domain connectivity is fine.

stevegrimshaw avatar Dec 03 '19 17:12 stevegrimshaw

Can you show your config that you use for tedious and the error stack trace?

IanChokS avatar Dec 03 '19 19:12 IanChokS 

import { Connection, Request, TYPES } from "tedious";

var config = {
  server: "server01-tst.company.net",
  domain: "COMPANY",
  options: {
    database: "my_test",
    port: 50001,
    trustServerCertificate: true,
  },
  authentication: {
    type: "ntlm",
    options: {
      userName: "myuser",
      password: "*****************",
      domain: "COMPANY",
    },
  },
};

console.log("Testing");

var connection = new Connection(config);
connection.on("connect", function (err) {
  // If no error, then good to proceed.
  console.log("Error: " + err);
});

Gives error:

❯ npx ts-node scripts/remove_user_mfa.ts
Testing
Error: Error: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
RequestError: Requests can only be made in the LoggedIn state, not the SentLogin7WithNTLMLogin state
    at Connection.makeRequest (/home/myuser/projects/myctl/node_modules/tedious/src/connection.ts:3104:24)
    at Connection.execSql (/home/myuser/projects/myctl/node_modules/tedious/src/connection.ts:2637:10)
    at selectBuckets (/home/myuser/projects/myctl/scripts/remove_user_mfa.ts:80:14)
    at Connection.<anonymous> (/home/myuser/projects/myctl/scripts/remove_user_mfa.ts:29:3)
    at Connection.emit (node:events:529:35)
    at Connection.emit (node:domain:489:12)
    at Connection.emit (/home/myuser/projects/myctl/node_modules/tedious/src/connection.ts:1902:18)
    at /home/myuser/projects/myctl/node_modules/tedious/src/connection.ts:3474:20
    at processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'EINVALIDSTATE'
}
Error connecting to database: ConnectionError: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
    at Login7TokenHandler.onErrorMessage (/home/myuser/projects/myctl/node_modules/tedious/src/token/handler.ts:268:19)
    at Readable.<anonymous> (/home/myuser/projects/myctl/node_modules/tedious/src/token/token-stream-parser.ts:22:55)
    at Readable.emit (node:events:517:28)
    at Readable.emit (node:domain:489:12)
    at addChunk (node:internal/streams/readable:335:12)
    at readableAddChunk (node:internal/streams/readable:308:9)
    at Readable.push (node:internal/streams/readable:245:10)
    at next (node:internal/streams/from:98:31)
    at processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'ELOGIN'
}
Connection closed

4integration avatar Mar 05 '24 07:03 4integration

Hi @4integration , not sure if you are on node 17 or newer, this may help you. You can try "specifying the --openssl-legacy-provider to the node executable", see if that helps.

MichaelSun90 avatar Mar 05 '24 18:03 MichaelSun90

@MichaelSun90 thanks but do not work

$ npx --openssl-legacy-provider ts-node scripts/test2.ts && echo $NODE_OPTIONS

ConnectionError: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
    at Login7TokenHandler.onErrorMessage (/home/myuser/projects/myctl/node_modules/tedious/src/token/handler.ts:268:19)
    at Readable.<anonymous> (/home/myuser/projects/myctl/node_modules/tedious/src/token/token-stream-parser.ts:22:55)
    at Readable.emit (node:events:518:28)
    at Readable.emit (node:domain:488:12)
    at addChunk (node:internal/streams/readable:559:12)
    at readableAddChunkPushObjectMode (node:internal/streams/readable:536:3)
    at Readable.push (node:internal/streams/readable:391:5)
    at nextAsync (node:internal/streams/from:194:22)
    at processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'ELOGIN'
}
ConnectionError: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
    at Login7TokenHandler.onErrorMessage (/home/myuser/projects/myctl/node_modules/tedious/src/token/handler.ts:268:19)
    at Readable.<anonymous> (/home/myuser/projects/myctl/node_modules/tedious/src/token/token-stream-parser.ts:22:55)
    at Readable.emit (node:events:518:28)
    at Readable.emit (node:domain:488:12)
    at addChunk (node:internal/streams/readable:559:12)
    at readableAddChunkPushObjectMode (node:internal/streams/readable:536:3)
    at Readable.push (node:internal/streams/readable:391:5)
    at nextAsync (node:internal/streams/from:194:22)
    at processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'ELOGIN'
}
--openssl-legacy-provider

4integration avatar Mar 07 '24 06:03 4integration

Hi @4integration Thanks for giving it a try. we are also looking into this, will get back to you when there is an update.

MichaelSun90 avatar Mar 07 '24 17:03 MichaelSun90