Docker .NET Core API connection to SQL Server through Kerberos

0
votes

Someone have success to connect a Dockerized .NET Core API 2.2 with SQL Server located in external client cloud server through Kerberos?

Here we're facing these issues:

Scenario 1:
If we use a connection string like this:

Server=tcp:SERVER_IP_ADDRESS,1433; Database=DB_NAME; User Id=USER; Password=PASSWORD;

then, it takes a long time and throws the exception like this:

SqlException: A connection was successfully established with the server, but then an error occurred during the login process. (provider: TCP Provider, error: 0 - Success)

Scenario 2:
If we use a connection string like this:

Server=tcp:SERVER_IP_ADDRESS,1433; Database=DB_NAME; User Id=USER; Password=PASSWORD; Trusted_Connection=True;

then, the exception is:

SqlException: Cannot authenticate using Kerberos.

Ensure Kerberos has been initialized on the client with 'kinit' and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.

ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure.

Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate).

So, our hands are tied and we don't know where to run.

Can u help us?

Thanks in advance.

1
sql-serverdocker.net-corekerberos
It is not an option to just add username/password access to the SQL server? - Gerrit
@Gerrit with username/password without Trusted_Connection = true, then the exception is: A connection was successfully established with the server, but then an error occurred during the login process. (provider: TCP Provider, error: 0 - Success) - Eduardo Gonçalves
Yes, but are username/password accesses allowed on the SQL server, does it have SQL server authentication mode? docs.microsoft.com/en-us/sql/relational-databases/security/… - Gerrit
I'm using SQL Server Authentication - Eduardo Gonçalves
Does anything from here help? stackoverflow.com/questions/34430550/… - Gerrit

1 Answers

0
votes

If you don't need strictly kerberos to authenthicate, just use sql user nad password.

To do that create a user on sql server only (not in windows, use ssms to do it or sql script) and use that user, not the windows one.

It seems that you don't use sql server authentication, at least you don't use sql server user but a windows one and sql server tries to authenthicate that user in AD instead authenticating it locally on sql server.

However if you want to use Windows auth, you probably would need to use windows containers and gMSA accounts, see https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-run-container