question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] MSI authentication fails due to expiry date format mismatch

See original GitHub issue

Driver version

7.4.1

Client details

Running on an Azure App Server Java 11 / Linux instance in the UK west region OS: Alpine 3.8 Docker container JVM: OpenJDK Runtime Environment 19.1-(Zulu-11.29+3-linux-musl-x64)-Microsoft-Azure-restricted (build 11.0.2+7-LTS)

Problem description

  1. Configure an App Services resource (Java 11 in “UK West” region) and Azure SQL DB for authentication using MSI, following instructions here
  2. Deploy code that attempts MSI authentication, e.g.:
//...
public static void main(String[] args) throws Exception {
    SQLServerDataSource ds = new SQLServerDataSource();
    ds.setServerName("my-db-instance.database.windows.net");
    ds.setDatabaseName("my-db-name");
    ds.setAuthentication("ActiveDirectoryMSI");
    Connection connection = ds.getConnection(); 
}
//...
  1. The connection fails, with an opaque “MSI Token failure: Failed to acquire token from MSI Endpoint” error.

Unfortunately there’s no stack trace or log output that shows the underlying problem (even at java.util.logging.Level.ALL), but by retrying with a patched version of the driver with extra logging I was able to narrow the issue down to SQLServerConnection.java:4376 which throws a java.text.ParseException when attempting to parse the token expiry timestamp. The driver implementation is looking for a 12hr time format - “M/d/yyyy h:mm:ss a X”, but the MSI API server (for my App Service instance in UK West at least) is returning a 24hr format, e.g. "08/30/2019 01:08:02 +00:00".

It’s not clear to me whether the issue is with the MSI server (possibly just in some regions?) or the driver. Even if the issue is with the MSI server (in which case I’d appreciate advice on how to raise such an issue), I’d suggest it’s probably a bug that the relevant exception details are swallowed by the driver without any logging. I’ve attached the full log traces from the unmodified 7.4.1 driver from the start of the MSI request so you can see what I mean. output-trimmed.log

All best, Joe

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:18 (11 by maintainers)

github_iconTop GitHub Comments

1reaction
peterbaecommented, Jun 29, 2020

The next stable release is targeted to be released by end of this July.

1reaction
onetoncommented, Oct 9, 2019

It’s too bad I only find this issue after a long day of troubleshooting my first Docker/Tomcat app service deployment with JDBC connection (West-Europe). Initially I thought my configuration was wrong, until I found out that the service actually returned a valid token. The hardest part was figuring out what went wrong due to the absence of a stacktrace. I eventually compiled my own driver version which did log a stacktrace to find the exact same problem.

I’m happy to read that a solution is on its way. Meanwhile, I can use my own patched driver.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Windows Installer Error Messages (for Developers)
Message codes, message text, and remarks for Windows Installer error messages. Errors include ship errors, internal errors, ...
Read more >
Azure Blob Storage "Authorization Permission Mismatch" error ...
I would go into your storage account > IAM > Add role assignment, and add the special permissions for this type of request:....
Read more >
Windows RSCD Agent crashes upon port probing with error ...
When there is a monitor/process that probes the TSSA agent port, the probe will crash the agent on Windows servers.
Read more >
Known issues - Tachyon Platform 8.0 - Product Documentation
The error is seen if the TEMPORARYDIRECTORY MSI property for the 1E Client contains a non-ASCII value such as "c:\t€mp\acme€" and the directory...
Read more >
Collaboration Edge Most Common Issues - Cisco
Jabber Clients Are Prompted to Accept the Expressway-E Certificate During Login ... This error message can be related with the Expressway Edge ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found