I am running a linux server and trying to establish a connection to McAfee with the SQL server using kerberos authentication. I have downloaded and installed the correct driver and DB connect recognizes the driver. When trying to create a new connection, I receive the error, "com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId: blah blah". When I look through the dbx_server logs, I find the same error as above, but also another log with an error. The other log states "ClientConnectionId: blah blah cause={} org.ietf.jgss.GSSException: No Valid credentials provided (Mechanism level: Server not found in Kerberos database (7))". Does anyone know what the issue is that is keeping the linux machine from establishing the connection?
@gn694 is this done for the service account that is running the SQL Server service, or for the service account that db_connect is trying to use to connect to MS SQL?
I'll paste this here as well for reference: Register a Service Principal Name for Kerberos Connections - SQL Server | Microsoft Learn
@splunkyj You do this for the service account that SQL Server runs as.
Check if below answer helps you:
Unix + kerberos in a microsoft active directory environment is tricky. Typically when you see a "server not found in kerberos database" error, you're trying to invoke-command (via winrm) from one windows machine to another, and your trustedhosts config is too restrictive. I'm not positive what the equivalent is on unix, but you might try using kinit first to see if you can request a ticket with the account you're using to connect remotely. That might rule out some problems. For instance: kinit myuser@MY.DOMAIN.COM. If it prompts you for your password, and klist now shows the ticket, things should be in a good state. If your unix host isn't configured to find the domain controllers, you might be running into issues there. I have a similar setup but I think my driver is different. I can confirm after you do some more testing.
I was able to perform kinit command and klist provided me a ticket. I was initially given the wrong Port to connect to. After the change, the new error stated, "com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:blah". I thought that since maybe we had a specific instance to connect to, I added "instanceName=myInstance" to the JDBC URL as stated in Splunk Docs. After this update, I encountered a new error. The new error stated, "There was an error processing your request. It has been logged (ID blah)."
Did you ever figure this out? I am running into the same problem connecting to a MS SQL server.
For anyone else that may come across this posting, I was able to resolve the issue in my case by setting the MSSQLSvc SPN on the service account used by SQL Server.
thank you. how did you do that?
Set a service principal name on the user in Active Directory that SQL Server is running as.
For example, if you are trying to connect to the following with DBConnect:
sqlserver1.fqdn.com
Add the following service principal name to the user / service account in AD:
MSSQLSvc/sqlserver1.fqdn.com:1433
You can do this in the Active Directory Users and Computers console (on the user's Properties - Attribute Editor tab - set the servicePrincipalName attribute) or by using the setspn command.
Depending on your permissions in AD you may be able to do this yourself or you may need to get someone to do this for you.