Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL server with PKINIT fails with login error when DB server and client CAs are different #48517

Closed
greedy52 opened this issue Nov 6, 2024 · 0 comments · Fixed by #48772
Closed

SQL server with PKINIT fails with login error when DB server and client CAs are different #48517

greedy52 opened this issue Nov 6, 2024 · 0 comments · Fixed by #48772
Assignees
@gabrielcorado
Labels
backport-required bug database-access Database access related issues and PRs db/sqlserver Microsoft SQL Server related database access issues test-plan-problem Issues which have been surfaced by running the manual release test plan

Comments

@greedy52
Copy link
Contributor

greedy52 commented Nov 6, 2024
edited
Loading

Expected behavior:
Connection to SQL server like tsh db connect ec2amaz-xxxx --db-user Administrator --db-name master should succeed

Current behavior:

$ tsh db connect ec2amaz-xxxx --db-user Administrator --db-name master
mssql: login error: authentication failed
mssql: login error: authentication failed
ERROR: exit status 1

Bug details:

  • Teleport version: v17.0.0-alpha.2
  • Recreation steps
    • Ensure tctl auth export --type db and tctl auth export --type db-client are different. if not, rotate one of them.
    • Setup PKINIT SQL server using official guide or Invoke-webrequest -uri "https://<proxy-addr>/webapi/scripts/databases/configure/sqlserver/<db-token>/configure-ad.ps1?uri=<sql-server-domain>:1433" -outfile configureteleport.ps1
  • Debug logs:
2024-11-06T14:41:18Z ERRO             "Failed to authenticate with KDC: Password for Administrator@STEVEAD.DEV.AWS.STEVEXIN.ME: \nkinit: Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate while getting initial credentials\n" kinit/kinit.go:311
@greedy52 greedy52 added backport-required bug test-plan-problem Issues which have been surfaced by running the manual release test plan labels Nov 6, 2024
@greedy52 greedy52 mentioned this issue Nov 6, 2024
Closed
@greedy52 greedy52 added database-access Database access related issues and PRs db/sqlserver Microsoft SQL Server related database access issues labels Nov 6, 2024
@gabrielcorado gabrielcorado mentioned this issue Nov 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gabrielcorado gabrielcorado

Labels
backport-required bug database-access Database access related issues and PRs db/sqlserver Microsoft SQL Server related database access issues test-plan-problem Issues which have been surfaced by running the manual release test plan
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use DB Client CA when connecting to SQL Server using PKINIT gravitational/teleport
2 participants
@gabrielcorado @greedy52