Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

JDBC 9.2 fails to connect to Azure Data Explorer by ActiveDirectoryPassword

See original GitHub issue

Driver version

9.2.0-jre8

SQL Server version

(Connect to Azure Data Explorer)

Client Operating System

Windows 10

JAVA/JVM version

java version “1.8.0_172” Java™ SE Runtime Environment (build 1.8.0_172-b11) Java HotSpot™ 64-Bit Server VM (build 25.172-b11, mixed mode)

Table schema

N/A - not related to the issue

Problem description

We are using MSSQL JDBC to connect to ADX (Azure Data Explorer) by ActiveDirectoryPassword. It works before by using JDBC 8.4.0+ADAL4J lib. Now JDBC 9.2.0 switches to use MSAL4J lib. But when we try to use JDBC 9.2.0 + MSAL4J lib to connect to ADX by ActiveDirectoryPassword by using the same connection properties, it fails to connect now.

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/api/tds/aad#jdbc-user

JDBC trace logs

com.microsoft.sqlserver.jdbc.SQLServerException: Failed to authenticate the user *****@*****.com in Active Directory (Authentication=ActiveDirectoryPassword).
	at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:227)
	at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getSqlFedAuthToken(SQLServerMSAL4JUtils.java:65)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:4524)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:4497)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:4460)
	at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:289)
	at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:125)
	at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:37)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:5332)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:4068)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:85)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:4006)
	at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7418)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:3274)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2768)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2418)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2265)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1291)
	at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:881)
	at java.sql.DriverManager.getConnection(DriverManager.java:664)
	at java.sql.DriverManager.getConnection(DriverManager.java:208)
	at jdbctest.AdxJdbc.main(AdxJdbc.java:27)
Caused by: java.util.concurrent.ExecutionException: java.lang.RuntimeException: AADSTS9001023: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
Trace ID: 36c42731-f7bb-4a18-bf80-f143241d3900
Correlation ID: 782a20a2-d5ba-49cb-b563-2896fd42ad4f
Timestamp: 2021-03-01 06:22:32Z
	at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:225)
	... 21 more
Caused by: java.lang.RuntimeException: AADSTS9001023: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.
Trace ID: 36c42731-f7bb-4a18-bf80-f143241d3900
Correlation ID: 782a20a2-d5ba-49cb-b563-2896fd42ad4f
Timestamp: 2021-03-01 06:22:32Z
	at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:219)
	... 21 more

Reproduction code

package jdbctest;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;

public class AdxJdbc {

    public static void main(String[] args) throws SQLException {
        String url = "jdbc:sqlserver://*****.eastus.kusto.windows.net:1433;databaseName=*****";

        Properties props = new Properties();
        props.put("user", "*****@*****.com");
        props.put("password", "*****");
        props.put("authentication", "ActiveDirectoryPassword");    
        props.put("hostNameInCertificate", "*.kusto.windows.net");  
        props.put("encrypt", "true");

        try (Connection connection = DriverManager.getConnection(url, props)) {
            System.out.println("Connected sucessfully!");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

}

POM file:

<project xmlns="http://maven.apache.org/POM/4.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>test</groupId>
  <artifactId>jdbc-adx</artifactId>
  <version>0.0.1-SNAPSHOT</version>

  <dependencies>
    <dependency>
      <groupId>com.microsoft.sqlserver</groupId>
      <artifactId>mssql-jdbc</artifactId>
      <version>9.2.0.jre8</version>
    </dependency>
    <dependency>
      <groupId>com.microsoft.azure</groupId>
      <artifactId>msal4j</artifactId>
      <version>1.9.1</version>
    </dependency>
  </dependencies>
</project>

If we use MSSQL JDBC 8.4.0 with ADAL4J, then the above Java code can connect to the ADX successfully.

<project xmlns="http://maven.apache.org/POM/4.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>test</groupId>
  <artifactId>jdbc-adal4j-adx</artifactId>
  <version>0.0.1-SNAPSHOT</version>

  <dependencies>
    <dependency>
      <groupId>com.microsoft.sqlserver</groupId>
      <artifactId>mssql-jdbc</artifactId>
      <version>8.4.0.jre8</version>
    </dependency>
    <dependency>
      <groupId>com.microsoft.azure</groupId>
      <artifactId>adal4j</artifactId>
      <version>1.6.6</version>
    </dependency>
  </dependencies>
</project>

Issue Analytics

State:
Created 3 years ago
Comments:14 (6 by maintainers)

Top GitHub Comments

1reaction

j2-zcommented, Aug 26, 2021

Hi,

We recently added a workaround to control the authority to authenticate to. You can change authority , via SQL connection string Language or application fields (depends where and how each available on specific client – ADO.NET, ODBC, JDBC, etc.), for example:
Language=English@AadAuthority:YYYY
application=myappname@AadAuthority:YYYY
You can attempt this with the organizations keyword or with your specific tenant Id, and see if it helps. If it does the change can later be applied as a default on the cluster.

It works now if I use organizations keyword! Thanks! This now solves our problem.

props.put("applicationName", "myappname@AadAuthority:organizations");

I’m using JDBC with MSAL4J.

    <dependency>
      <groupId>com.microsoft.sqlserver</groupId>
      <artifactId>mssql-jdbc</artifactId>
      <version>9.4.0.jre8</version>
    </dependency>
    <dependency>
      <groupId>com.microsoft.azure</groupId>
      <artifactId>msal4j</artifactId>
      <version>1.11.0</version>
    </dependency>

0reactions

venkis81commented, Nov 1, 2021

@j2-z I am using one standalone java file and trying to use AD authentication with password and facing the same issue. In that case how do we set props.put(“applicationName”, “myappname@AadAuthority:organizations”);