Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use DB Client CA when connecting to SQL Server using PKINIT #48772

Merged
merged 3 commits into from
Nov 13, 2024
Merged

Use DB Client CA when connecting to SQL Server using PKINIT #48772

merged 3 commits into from
Nov 13, 2024

Conversation

gabrielcorado
Copy link
Contributor

Closes #48517

Brief overview: For the SQL Server with PKINIT, we use the kinit CLI to authenticate with Kerberos. To use this CLI, we need to generate the user certificates (DB Client CA) and add the LDAP cert to the anchors file so it can trust the AD/KDC certificates.

This issue is related to kinit not trusting our certificates as we're using the DB Server CA (instead of DB Client, which was used to generate the connection certificates). This causes kinit to fail while verifying our certificates.

Note: This solution isn't ideal (as we're adding a new exception for the GenerateDatabaseCert). However, given this function will be replaced with GenerateDatabaseClientCert and GenerateDatabaseHostCert (as per RFD 0168), we can bring this into the discussion when introducing these new RPC calls so it can be solved without having those protocol-specific exceptions.

changelog: Fixed users not being able to connect to SQL server instances with PKINIT integration when the cluster is configured with different CAs for database access.

@gabrielcorado gabrielcorado self-assigned this Nov 11, 2024
greedy52
greedy52 approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@greedy52 greedy52 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the quick fix!

@gabrielcorado gabrielcorado added this pull request to the merge queue Nov 13, 2024
Merged via the queue into master with commit 78ec462 Nov 13, 2024
39 checks passed
@gabrielcorado gabrielcorado deleted the gabrielcorado/fix-sqlserver-pkinit-wrong-ca branch November 13, 2024 18:06
@public-teleport-github-review-bot
Copy link

@gabrielcorado See the table below for backport results.

Branch Result
branch/v15 Create PR
branch/v16 Create PR
branch/v17 Create PR

This was referenced Nov 13, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@strideynet strideynet strideynet approved these changes

@greedy52 greedy52 greedy52 approved these changes

@Tener Tener Tener approved these changes

Assignees

@gabrielcorado gabrielcorado

Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SQL server with PKINIT fails with login error when DB server and client CAs are different
4 participants
@gabrielcorado @Tener @greedy52 @strideynet