Kerberos authentication doesn't work with NuGet package 2.1.0

[mashbrno]

Can't authenticate with SQL Server 2014 using new 2.1.0. Switching back to 1.1.3 works.

Exception:

Cannot authenticate using Kerberos. Ensure Kerberos has been initialized on the client with 'kinit' and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.
ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database).
   at System.Net.Security.NegotiateStreamPal.GssInitSecurityContext(SafeGssContextHandle& context, SafeGssCredHandle credential, Boolean isNtlm, SafeGssNameHandle targetName, GssFlags inFlags, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags, Int32& isNtlmUsed)
   at System.Net.Security.NegotiateStreamPal.EstablishSecurityContext(SafeFreeNegoCredentials credential, SafeDeleteContext& context, String targetName, ContextFlagsPal inFlags, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, ContextFlagsPal& outFlags)
   at Microsoft.Data.SqlClient.SNI.SNIProxy.GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, Byte[] receivedBuff, Byte[]& sendBuff, Byte[] serverName)
   at Microsoft.Data.SqlClient.SNI.TdsParserStateObjectManaged.GenerateSspiClientContext(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength, Byte[] _sniSpnBuffer)
   at Microsoft.Data.SqlClient.TdsParser.SNISSPIData(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength)

Image configuration:

FROM mcr.microsoft.com/dotnet/aspnet:5.0.0-buster-slim AS base
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf && \
	sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /etc/ssl/openssl.cnf && \
	sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf && \
	sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /usr/lib/ssl/openssl.cnf

[karinazhou]

Hi @mashbrno ,

Thank you for reporting this. We will look into this soon.
Have you tried with other SqlClient versions such as 2.0.0 and 2.0.1?
Are they working for you?
And is your server using TLSv1.0?

[mashbrno]

Hi @karinazhou
yes, I'm using TLSv1.0. I've prepared repro sample https://gitlab.com/jan.zahradnik/sqlclient-sample
I've tested with 2.0.0 and 2.0.1 packages and it works. So it's regression in 2.1.0 package.

[galakt]

Same problem (Except using TLSv1.0), regression in 2.1.0

image	dotnet	SqlClient version	result
3.1 bionic	3.1	2.0.1	Success
3.1 bionic	3.1	2.1	Exception
5.0 focal	5.0	2.0.1	Success
5.0 focal	5.0	2.1	Exception

[dimonstrik]

+1, faced with that

[karinazhou]

@mashbrno Thank you for the sample app.
@galakt Thank you for the result table.
We will dig into this and update it later.

[karinazhou]

@mashbrno I tried with your sample app on my side but I got the Server not found or not accessible exception with SqlClient 2.0.1. I look into the launch.sh and execute the first line. It looks like the key tab file is missing in my docker container. Did I miss some configuration?

root@1f04b264eefd:/etc# user=`klist -k service.keytab | grep 1 | sed -n -e 's/^.* //p'`
klist: Key table file 'service.keytab' not found while starting keytab scan

[mashbrno]

@karinazhou Of course I didn't share my Active Directory neither whole SQL server with it. Feel free to generate your valid credentials with this commands:

printf "%b"   "addent -password -p myUser@AD.DATA3S.COM -k 1 -e   aes256-cts-hmac-sha1-96\npassword\nwrite_kt service.keytab" |   ktutil

You will also need to modify krb5.conf to match your setup.

[karinazhou]

@mashbrno When I go through the changes made in MDS v2.1.0, I find that we have changed the behavior for SPN generation. You can find the commit in PR#629. This is to add default port 1433 to the server SPN when the port number is not provided in the connection string. The original issue is reported in #627 . However, I can see you have 1433 in the connection string so it may not be the cause.

How it works if you provide tcp:hostname,port in the connection string?

---

@galakt @dimonstrik May I also know the connection string you used when it failed?

Thanks,

[mashbrno]

Unfortunately changing connection string from

Server=dike4-ag.ad.data3s.com,1433;Integrated Security=true;Initial Catalog=DATA3S_CZ

to

Server=tcp:dike4-ag.ad.data3s.com,1433;Integrated Security=true;Initial Catalog=DATA3S_CZ

didn't make any change. Works with 2.0.1, fails with 2.1.0.

[mashbrno]

@karinazhou to izolate the issue even more it was introduced between preview1 and preview2. Your PR#629 is before that.
My guess is src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlSecurityUtility.cs from #699 where aes256-cts was removed. This is exactly the cipher I use in my service.keytab.

[karinazhou]

@mashbrno Thank you so much for the information and it does help a lot to narrow down the issue 👍
And I can reproduce this in my testing Kerberos now which gives me the exact authentication error you got.
Let me add the code back and give it a try. I will keep you updated.

[karinazhou]

I have tested #699 PR and it doesn't break the Kerberos behavior. After some tries between preview1 and preview2, it turns out to be #665 introducing the issue. It was a big commit that involved over 200 files being touched so it will take some time to narrow down the root cause.

[karinazhou]

@mashbrno Could you try this nuget package to see if it fixes your issue? I test it locally and it works for me.

Nuget.zip

[mashbrno]

@karinazhou I can confirm, that your patch is working.

[cheenamalhotra]

Closing issue as v2.1.1 has been released with patch.