Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Kerberos authentication doesn't work with NuGet package 2.1.0

See original GitHub issue

Can’t authenticate with SQL Server 2014 using new 2.1.0. Switching back to 1.1.3 works.

Exception:

Cannot authenticate using Kerberos. Ensure Kerberos has been initialized on the client with 'kinit' and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.
ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database).
   at System.Net.Security.NegotiateStreamPal.GssInitSecurityContext(SafeGssContextHandle& context, SafeGssCredHandle credential, Boolean isNtlm, SafeGssNameHandle targetName, GssFlags inFlags, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags, Int32& isNtlmUsed)
   at System.Net.Security.NegotiateStreamPal.EstablishSecurityContext(SafeFreeNegoCredentials credential, SafeDeleteContext& context, String targetName, ContextFlagsPal inFlags, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, ContextFlagsPal& outFlags)
   at Microsoft.Data.SqlClient.SNI.SNIProxy.GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, Byte[] receivedBuff, Byte[]& sendBuff, Byte[] serverName)
   at Microsoft.Data.SqlClient.SNI.TdsParserStateObjectManaged.GenerateSspiClientContext(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength, Byte[] _sniSpnBuffer)
   at Microsoft.Data.SqlClient.TdsParser.SNISSPIData(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength)

Image configuration:

FROM mcr.microsoft.com/dotnet/aspnet:5.0.0-buster-slim AS base
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf && \
	sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /etc/ssl/openssl.cnf && \
	sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf && \
	sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /usr/lib/ssl/openssl.cnf

Issue Analytics

State:
Created 3 years ago
Reactions:35
Comments:15 (8 by maintainers)

Top GitHub Comments

16reactions

galaktcommented, Dec 2, 2020

Same problem (Except using TLSv1.0), regression in 2.1.0

image	dotnet	SqlClient version	result
3.1 bionic	3.1	2.0.1	Success
3.1 bionic	3.1	2.1	Exception
5.0 focal	5.0	2.0.1	Success
5.0 focal	5.0	2.1	Exception

2reactions

mashbrnocommented, Dec 4, 2020

@karinazhou to izolate the issue even more it was introduced between preview1 and preview2. Your PR#629 is before that. My guess is src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlSecurityUtility.cs from #699 where aes256-cts was removed. This is exactly the cipher I use in my service.keytab.