Fix | Don't validate server certificate when using Authentication option but not encrypting #2224
Conversation
…ion but not encrypting
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #2224 +/- ##
==========================================
+ Coverage 68.46% 72.36% +3.90%
==========================================
Files 309 309
Lines 62181 62196 +15
==========================================
+ Hits 42570 45008 +2438
+ Misses 19611 17188 -2423
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
Could we have a unit test to cover this case if already there isn't one? |
The test ADIntegratedUsingSSPI (renamed in this PR from the inaccurate ADInteractiveUsingSSPI) was exercising this bad path in our Kerberos pipelines but the old ones are configured with TrustServerCertificate=true to avoid this issue. The new Kerberos pipeline wasn't using TrustServerCertificate=true, so it was hitting this issue. I added another test to specifically / force Authentication=SqlPassword and TrustServerCertificate=false to help ensure this doesn't regress in localhost pipelines. |
When using the authentication option (Authentication=SqlPassword or other value), the netfx code would try to validate the server certificate regardless of whether or not encryption was negotiated. This resulted in the requirement to set TrustServerCertificate=true, even if client and server encryption was off, in order for connections to succeed when the server doesn't have a public certificate provisioned. This also manifests in the same manner when using Authentication=ActiveDirectoryIntegrated. In a Kerberos flow, that option behaves like IntegratedSecurty=true.