ISC/MSSQL/Kerberos integration [unable to obtain principal name for authentication]

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello All,

Recently i’m working on itegration between ISC and MSSQL on-prem database. Our customer request us to use Windows Authentication so additional step is to authenticate to Kerberos service. However i’m receivig follwowing error:
Error Received:

> [ ConnectorException ] [ Error details ] The server encountered an unexpected error while contacting target system. Please check the logs. Kerberos Login failed: Integrated authentication failed. ClientConnectionId:92149d5e-2afb-4b3e-a324-924a6d5811cd due to javax.security.auth.login.LoginException (Unable to obtain Principal Name for authentication )

Steps done so far:

  • FW ports to kerberos server were opened on port 88 and 464
  • FW ports do MSSQL were opened on 80, 443, 1433
  • Uploaded Files: mssql-jdbc-12.6.1.jre11.jar, SQLJDBCDriver.config, krb5.config
  • Source was onfigured as below:

Source Type: MSSQL
Authentication Type: Windows Authentication
Database URL: jdbc:sqlserver://MSSQLSERVER.eua.DOMAIN.com\DBNAME:1433;integratedSecurity=true;authenticationScheme=JavaKerberos;trustServerCertificate=true
Login Account Name: [email protected]
Driver Class: com.microsoft.sqlserver.jdbc.SQLServerDriver

krb5.config
[logging]
[libdefaults]

  • default_realm = EUA.DOMAIN.COM*
  • dns_lookup_realm = false*
  • dns_lookup_kdc = false*
  • ticket_lifetime = 24h*
  • renew_lifetime = 7d*
  • forwardable = true*

[realms]

  • EUA.DOMAIN.COM = {*
  • kdc = KDC_LDAP.eua.DOMAIN.com*
  • admin_server = KDC_LDAP.eua.DOMAIN.com*
  • }*

[domain_realm]

SQLJDBCDriver.config
SQLJDBCDriver {

  • com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true;*
    };

My questions are:

  1. Do i need additional Kerberos config in VA?
  2. What addtional configuration need to be done on KDC server?
  3. How to solve krberos auth error?

Many thanks in advance for help

2

From what i know Windows authentication is still not supported on the VA, and you need to use direct access.

Best

3

@radoslaw_klimkowski

I have exactly the same issue and have followed the same steps as you but without any luck. I am getting the same error message.

I have also created SPN for the windows service account as stated in this Kerberos Authentication Setup Checklist

Can you try following the steps stated in this guide to see if you have any luck?

I have tried updating the krb5.config with different config settings/options and then rebooting the ccg service but still no joy.

@ipobeidi I don’t know whether this is still not supported on the VA. It would be nice if someone can please confirm this.

Thanks

4

Hi @radoslaw_klimkowski,

Attached is a guide I have created for configuring Windows Authentication.

Please follow the steps closely and ensure the configuration of your source match the configuration defined in the guide.

For the best experience and full functionality (copying code & TOC), please download and open in a browser.

Configuring Windows Authentication for JDBC Sources.html (4.5 MB)
(updated 2024-11-22)

Let me know how it goes.

2 Likes
5

@brennenscott Thanks very much for providing us this guide :+1:

I will give it a try and will let you know how it goes or if I need any help.

6

@brennenscott Many thanks for sharing that guide. I’m awaiting for response from MSSQL team to change service account for MSSQL service. I’ll keep you posted.

In a meantime (in relation to provided guide):

  1. Does the name of the service account have to be the same case-sensitive name everywhere?
  2. Connector on ISC must be JDBC or still i can use MSSQL?
7

Hi @radoslaw_klimkowski, this is for JDBC specifically but the principles of the configuration still stand for MSSQL.

The specifications in the guide are important, such as the <DOMAIN IN ALL CAPS> labels. Each step needs to be followed meticulously, as the domain in all caps is for the realm, which needs to be in all caps. The name of the service account does not necessarily have to be in all caps, but the domain does (where specified). I recommend just copying the format as provided in the examples in the guide.

8

Hi @brennenscott

I followed the steps in your guide but I am getting the attached error message “Missing required jar.” although I uploaded it in the GUI as shown in the attached screenshot. Also, I tried the newer version file i.e ‘mssql-jdbc-12.6.2.jre11.jar’ but without any luck.

Could you please advise why this is the case?

Thanks
jar_2

jar_1
jar_1760×351 9.58 KB

9

I strongly believe it’s related to a recent issue which is surfacing on the sandbox environment, most likely because of a recent SailPoint change.

Related post here:

10

@gauravsajwan1

Thanks for the update. On Friday last week I didn’t have this issue. It seems this issue has started around 1st June 2024 in the sandbox tenant and this could be due to some recent changes by the SailPoint. The prod seems to be OK.

Anyhow, please keep me posted.

Thanks

11

Hey mate, the issue is resolved in case you are not across the latest update.

Cheers!

1 Like
12

@gauravsajwan1 Thanks for the update.

13

@nhassan after the issue with missing JAR files has been resolved, have you been able to re-test the configurations you made according to the guide I provided?

Let me know what you see.

14

Hi @brennenscott

I am still waiting for our database team to configure the windows svc account at their end and set the required permissions. Once it’s done I will give it a try to see if the test connection is successful. I will update you then.

As per step 1 and 2 of part-1 in your guide, is it mandatory to set the “SQL Server (MSSQLSERVER) service” to log on as windows svc account?

Unlike above, would the connection still be successful if the windows svc account is configured on the SQL Server side just to be able to login to the database instance?

Thanks

15

My experience shows that if leaving the service as the default NT Service\MSSQLSvc (I think that’s the name off the top of my head), any operation would result in the following error:

Error occurred in Kerberos Authentication while test configuration operation.
GSSException: Defective token detected (Mechanism level: AP_REP token id does not match!)

The service does not need to be run by the service account used by ISC, but it does need to be either Local System or another service account.

2 Likes
16

Hello everyone,

The integration with mssql and kerberos has been completed successfully! I was able to test the connection and even aggregate and correlate accounts. Both teams (IDN and MSSQL) followed the instructions (exactly step by step) provided by @brennenscott.

Many thanks once again @brennenscott

17

Excellent to hear, @radoslaw_klimkowski! :smile:

Have an amazing rest of your week!

1 Like
18

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.