[BUG] MSI authentication fails due to expiry date format mismatch
See original GitHub issueDriver version
7.4.1
Client details
Running on an Azure App Server Java 11 / Linux instance in the UK west region OS: Alpine 3.8 Docker container JVM: OpenJDK Runtime Environment 19.1-(Zulu-11.29+3-linux-musl-x64)-Microsoft-Azure-restricted (build 11.0.2+7-LTS)
Problem description
- Configure an App Services resource (Java 11 in “UK West” region) and Azure SQL DB for authentication using MSI, following instructions here
- Deploy code that attempts MSI authentication, e.g.:
//...
public static void main(String[] args) throws Exception {
SQLServerDataSource ds = new SQLServerDataSource();
ds.setServerName("my-db-instance.database.windows.net");
ds.setDatabaseName("my-db-name");
ds.setAuthentication("ActiveDirectoryMSI");
Connection connection = ds.getConnection();
}
//...
- The connection fails, with an opaque “MSI Token failure: Failed to acquire token from MSI Endpoint” error.
Unfortunately there’s no stack trace or log output that shows the underlying problem (even at java.util.logging.Level.ALL
), but by retrying with a patched version of the driver with extra logging I was able to narrow the issue down to SQLServerConnection.java:4376 which throws a java.text.ParseException
when attempting to parse the token expiry timestamp. The driver implementation is looking for a 12hr time format - “M/d/yyyy h:mm:ss a X”, but the MSI API server (for my App Service instance in UK West at least) is returning a 24hr format, e.g.
"08/30/2019 01:08:02 +00:00"
.
It’s not clear to me whether the issue is with the MSI server (possibly just in some regions?) or the driver. Even if the issue is with the MSI server (in which case I’d appreciate advice on how to raise such an issue), I’d suggest it’s probably a bug that the relevant exception details are swallowed by the driver without any logging. I’ve attached the full log traces from the unmodified 7.4.1 driver from the start of the MSI request so you can see what I mean. output-trimmed.log
All best, Joe
Issue Analytics
- State:
- Created 4 years ago
- Comments:18 (11 by maintainers)
Top GitHub Comments
The next stable release is targeted to be released by end of this July.
It’s too bad I only find this issue after a long day of troubleshooting my first Docker/Tomcat app service deployment with JDBC connection (West-Europe). Initially I thought my configuration was wrong, until I found out that the service actually returned a valid token. The hardest part was figuring out what went wrong due to the absence of a stacktrace. I eventually compiled my own driver version which did log a stacktrace to find the exact same problem.
I’m happy to read that a solution is on its way. Meanwhile, I can use my own patched driver.