search

r2dbc / r2dbc-mssql

R2DBC Driver for Microsoft SQL Server using TDS (Tabular Data Stream) Protocol
Apache License 2.0
183 stars 32 forks source link

Add support to connect to MSSQL Server with Integrated Security (windows authentication) #101

Open EugenZ opened 4 years ago

EugenZ commented 4 years ago

Is it possible to connect to the MSSQL database not with user credentials, but with domain user account?

mp911de commented 4 years ago

Currently, password authentication is the only supported login scheme.

We don't support Kerberos, NTLM or integrated authentication, mostly due to two reasons:

  1. integrated authentication involves quite a bit of native code JNI
  2. Adding additional authentication mechanisms isn't something we can achieve ourselves but we need some support here. Right now, it's unclear whether these authentication mechanisms can be integrated in a non-blocking way

That being said additional authentication scheme support depends on whether someone more knowledgeable than us is able to contribute these.

lemonprogis commented 4 years ago

Hello, does this include the possibility of using authentication=ActiveDirectoryPassword?

mp911de commented 4 years ago

I'm not sure as I'm not familiar with AD authentication. right now, we don't support AD-based authentication.

vakmancordero commented 4 years ago

sad to read that... currently many implementations for making connections to SQL servers require authentication using integrated security. I was trying to implement r2dbc with multiple databases with integrated security.

vakmancordero commented 4 years ago

so, I will try through the sqljdbc_auth.dll, If I have success, then I will let you know

nittalasrikanth commented 4 years ago

so, I will try through the sqljdbc_auth.dll, If I have success, then I will let you know

Hello... did you find a resolution or a workaround for this issue ? We are running into the same problem (ntlm security on MS SQL Server) within our enterprise. Thanks!

mp911de commented 4 years ago

As it looks like now, integrated authentication requires a platform-specific binary. In the SQL Server JDBC driver, native code is available through com.microsoft.sqlserver.jdbc.AuthenticationJNI which is package-private. You might want to file a ticket at https://github.com/microsoft/mssql-jdbc to make SSPI usable from outside the library.

lemonprogis commented 4 years ago

Been discussing over on mssql-jdbc questions thread some. Would it be possible to do what is suggested?

https://github.com/microsoft/mssql-jdbc/issues/818#issuecomment-632322627

Thanks!

mp911de commented 4 years ago

I haven’t looked yet into the DLL exports. If these are namespace-free, then we could add an integration. If they point into the SQL Server JDBC package, the we cannot add it as it would cause splitpackages.

lemonprogis commented 4 years ago

@mp911de, awesome! Do we need a separate issue to look into that? Also, if I can help in any way, let me know.

mp911de commented 4 years ago

If you like, feel free to come up with a pull request. I’m currently on vacation and I don’t have a windows testing environment.

lpandzic commented 3 years ago

Note that JDBC driver was migrated to MSAL in August. I assume the access is reactive as they use reactor types as is visible in changes.

@mp911de I have two questions:

  1. What is the proper way to channel community interest in getting this issue done? On Jira there was a vote option but on github unfortunately there's nothing similar.
  2. What would you need for testing environment? Docker containers for AD, MSSQL and app that communicates with DB through Kerberos?
mp911de commented 3 years ago

Thanks for the heads-up. Using MSAL that is based on Reactor internally, we should have all pre-requisites in place. In general, you can leave a :+1: on the ticket. Other than that, the ticket is labeled with ideal-for-contribution which means it is up for grabs for anyone that wants to contribute this functionality.

Since I'm not so deeply involved with AD, Kerberos etc. I don't have an answer to that question. I would expect that this feature can be only properly tested within an Azure or/and native Windows environment. We don't have access to either one from this project and I don't see how we could achieve that without anyone sponsoring the project.

Probably you want to reach out to Microsoft and make them aware of this situation.

lovababu commented 2 years ago

I might be late to the party :). Is r2dbc-mssql supports Azure MSI (authentication=ActiveDirectoryMSI) based authentication?

steffimahajan commented 1 year ago

I might be late to the party :). Is r2dbc-mssql supports Azure MSI (authentication=ActiveDirectoryMSI) based authentication?

Hey, did you find anything I am also trying same thing

juancdelgado commented 5 months ago

Hello,

I am also having issues with this (values have been changed for privacy):

This is what I have for a ConnectionFactory:

`
@Bean public ConnectionFactory connectionFactory() { ConnectionFactoryOptions options = ConnectionFactoryOptions.builder() .option(ConnectionFactoryOptions.DRIVER, "sqlserver") .option(ConnectionFactoryOptions.HOST, "my-server.database.windows.net") .option(ConnectionFactoryOptions.PORT, 1433) .option(ConnectionFactoryOptions.USER, "username@my-app.cloud.com") .option(ConnectionFactoryOptions.PASSWORD, "a_password123") .option(ConnectionFactoryOptions.DATABASE, "my_db") .option(Option.valueOf("sendStringParametersAsUnicode"), false) .option(Option.valueOf("encrypt"), true) .option(Option.valueOf("trustServerCertificate"), true) .option(Option.valueOf("hostNameInCertificate"), "*.database.windows.net") .option(Option.valueOf("authentication"), "ActiveDirectoryPassword") .build();

log.trace("Connection Factory Details: " + options);
return ConnectionFactories.get(options);

} `

I'm getting the following error, only after I try to execute a sql query: Caused by: io.r2dbc.mssql.ExceptionFactory$MssqlNonTransientResourceException: Cannot open server "my-app.cloud.com" requested by the login. The login failed.

This is an Azure Active Directory Acccount which i'm providing the service account username and password

KyleTTownsend commented 2 weeks ago

Hello,

I am also having issues with this (values have been changed for privacy):

This is what I have for a ConnectionFactory:

` @bean public ConnectionFactory connectionFactory() { ConnectionFactoryOptions options = ConnectionFactoryOptions.builder() .option(ConnectionFactoryOptions.DRIVER, "sqlserver") .option(ConnectionFactoryOptions.HOST, "my-server.database.windows.net") .option(ConnectionFactoryOptions.PORT, 1433) .option(ConnectionFactoryOptions.USER, "username@my-app.cloud.com") .option(ConnectionFactoryOptions.PASSWORD, "a_password123") .option(ConnectionFactoryOptions.DATABASE, "my_db") .option(Option.valueOf("sendStringParametersAsUnicode"), false) .option(Option.valueOf("encrypt"), true) .option(Option.valueOf("trustServerCertificate"), true) .option(Option.valueOf("hostNameInCertificate"), "*.database.windows.net") .option(Option.valueOf("authentication"), "ActiveDirectoryPassword") .build();

log.trace("Connection Factory Details: " + options);
return ConnectionFactories.get(options);

} `

I'm getting the following error, only after I try to execute a sql query: Caused by: io.r2dbc.mssql.ExceptionFactory$MssqlNonTransientResourceException: Cannot open server "my-app.cloud.com" requested by the login. The login failed.

This is an Azure Active Directory Acccount which i'm providing the service account username and password

I am running into the same issue you are. Were you able to come up with a solution for Active Directory authentication?