Login/Register
Authenticating to a SQL Server instance as a Windows User via JDBC
Asked Answered
sql-serverjdbcjtdswindows-nt
A

9

9

I'm having to support multiple database types for my tenant-enabled web application. Among others, I have successfully supported Microsoft's SQL Server, by using the net.sourceforge.jtds.jdbc.Driver class with a connection String like "jdbc:jtds:sqlserver://192.168.1.189:1433/ApplicationName". This works, but it requires that the user explicitly defines a user in the SQL Server instance and enables SQL Server authentication.

Now, inevitably, requirements changed, and we're supposed to support connecting to SQL Server via Windows Authentication. Evidently this requires some sort of change to the connection string, since the data base server must somehow be able to distinguish whether the credentials passed into the data base connection are for a user defined in the SQL Server installation or in the Windows OS. But what is it?

Acting on advice from the internet, if progressed as far as extending the connection string with ;useNTLMv2=true;domain=WORKGROUP. That seems to make the data base server aware that I want to authenticate as a Windows user, but the actual log-in fails with

The login is from an untrusted domain and cannot be used with Windows authentication. (code 18452, state 28000)

Now im my testing set-up, both the J2EE app and the SQL server instance are in fact on the same machine (although in production they may not be), and still this computer isn't trusted enough to log on to itself? Evidently I'm missing a big part of the puzzle here. What does one have to do to convince an SQL Server instance that the user who started it can in fact log on to it via JDBC?

Edit

Since we have already sunk too much unsuccessful effort trying to integrate our web application with a full Microsoft infrastructure stack (SQL Server, Active Directory, Domain Name Service...), I have to restrict this question:

Does anyone know a way to access an SQL Server installation with a user account defined as a "Windows User" via JDBC form a J2EE application, without having to use Active Directory, a Windows machine running the web application and a proprietary DLL? The bounty is for any solution of that sub-problem. The entire problem is clearly too broad to be answered in one forum post.

Agretha answered 9/10, 2014 at 9:6 Comment(5)
Is this computer a member of an Windows Active Directory domain? I don't know much about the jTDS driver but have you installed the single sign on DLL? Another option is the Microsoft JDBC driver, which supports Windows auth without SSO.Welcher
No, all we have here is a few standalone Windows development boxes. A colleague is now looking into what we would have to do to establish an Active Directory environment for ourselves. Alternatively, do I understand you correctly that with the sqljdbc4.jar driver I could get away without running a domain controller locally? If so, I would really prefer to get the connectivity by just adapting the connection URL and parameters instead.Agretha
Be aware that running SQL Server on a domain controller is not supported. Typically, one uses Windows authentication only with AD already available. If you don't have that, why not just use SQL auth? Why would a requirement dictate you use Windows authentication without the supporting infrastructure?Welcher
We don't run AD, but I suppose some of our customers do. It's probably a "check-list" feature due to some general policy or other ("All authentication on ZorbCorp systems must be via the approved central domain controller") - other customers are happily running the thing with SQL Server authentication. I'll have to see if the additional business justifies the extra development effort.Agretha
This is becoming increasingly difficult/impossible as newer versions of SQL Server and the JDBC drivers are released.Insectile
D
4

I ran into the error

The login is from an untrusted domain and cannot be used with Windows authentication

when a 2012 SQL Server DB instance was recently upgraded to 2016. In order to use AD based authentication with the JTDS driver and SQL Server 2016, it seems necessary to specify both the useNTLMv2=true and the domain=example.com suffix in order to establish a connection. The name of the domain is absolutely necessary and I confirmed that through testing. This is with JTDS driver version 1.3.1.

Example of a working connection string using AD based authentication to SQL Server 2016 DB with JTDS 1.3.1:

jdbc:jtds:sqlserver://sqlserver2016db.example.com/MY_DB_NAME;domain=example.com;prepareSQL=2;useNTLMv2=true

UPDATE

Recently (due to the pandemic lockdown), I found myself also having to connect to SQL Server using Windows authentication from a non-domain computer (over VPN). This can be accomplished by starting the Windows process initiating the SQL Server connection, e.g. Eclipse / Spring Tool Suite, with the following command:

C:\Windows\System32\runas.exe /netonly /user:domain\user "path_to_executable.exe"

Source: https://www.mssqltips.com/sqlservertip/3250/connect-to-sql-servers-in-another-domain-using-windows-authentication/

In discovering that gem, I also discovered that encryption needed to be used. Here are the settings I'm using (in addition to now running the executable with /netonly and a domain account):

spring.datasource.url=jdbc:jtds:sqlserver://fqdn_of_server_including_domain/DBNAME;domain=mydomain;useNTLMv2=true;ssl=require;prepareSQL=2;
spring.datasource.username=domainaccountname_without_domain_prefix
spring.datasource.password=password
spring.datasource.testOnBorrow=true
spring.datasource.hikari.connection-test-query=SELECT 1
spring.jpa.database-platform=org.hibernate.dialect.SQLServerDialect
Diphthong answered 18/9, 2018 at 18:51 Comment(1)
Thanks, verified here too - with jTDS, you need to include ";useNTLMv2=true" for it to connect to newer SQL servers - it wasnt needed for earlier versions.Glassworker
S
3

What you describe certainly appears to be feasible. I have SQL Server 2008 R2 Express running on a stand-alone server and I was able to connect using a Windows username/password on that server via jTDS 1.3.1 from a separate Windows machine and from an Xubuntu 14.04 box.

On the machine running SQL Server I created a Windows user named 'kilian'. In SQL Server itself I created a SQL Login for NT AUTHORITY\Authenticated Users. Then in the database (named 'myDb') I created a User named 'AuthenticatedUsers' for that SQL Login. Just to keep things simple I gave that user db_owner rights on the database.

DatabaseUser.png

There is no SQL Login for 'kilian' and no database User with that name.

Then, from the other two machines (the Windows workstation and the Xubuntu box) I just ran this:

package com.example.jtdstest;

import java.sql.*;

public class JtdsTestMain {

    public static void main(String[] args) {
        try (Connection con = DriverManager.getConnection(
                "jdbc:jtds:sqlserver://192.168.1.137:52865/myDb" +
                    ";domain=whatever",
                "kilian",
                "4theBounty")) {
            try (Statement s = con.createStatement()) {
                String sql = "SELECT LastName FROM Clients WHERE ID=1";
                try (ResultSet rs = s.executeQuery(sql)) {
                    rs.next();
                    System.out.println(rs.getString("LastName"));
                }
            }
        } catch (Exception e) {
            e.printStackTrace(System.out);
        }

    }

}

Additional notes:

  • I did not have to include useNTLMv2=true. I was able to connect with or without that parameter.

  • I did have to include domain= to tell the SQL Server not to use SQL authentication, but the actual value I supplied made no difference. (I literally used 'whatever', which was not the name of the server or the name of the workgroup to which it belongs.)

Syman answered 20/10, 2014 at 12:36 Comment(0)
C
1

Alternative Method

The alternative solution is to utilize integrated security. This enables your application to connect to the database as the user in which the application is currently running as. This is enabled by adding integratedSecurity=true; into the connection string properties. If you run into any trouble, make sure the sqljdbc_auth.dll is accessible via classpath or within your app library.

Security Note

You're probably already aware, but just have to say make sure not to grant access to "Authenticated Users" to your database as previously suggested as part of the demonstration. Identify which user account your application runs as and grant access to only that specific user in your database server.

Sources / Additional Info

Classroom answered 21/10, 2014 at 13:12 Comment(0)
J
1

The main problem is the windows authentication with a full java solution (no DLL). So you could use one of the libs below:

So once your app is authenticated with one of the lib above, your JDBC should run fine using "integratedSecurity=true;" and if needed "authenticationScheme=JavaKerberos".

Judaic answered 22/10, 2014 at 8:14 Comment(0)
D
1

Firstly you should write the jdbc connection like this:

String url ="jdbc:sqlserver://PC01\inst01;databaseName=DB01;integratedSecurity=true";

then

you need to enable the SQL Server TCP/IP Protocol in Sql Server Configuration Manager app. You can see the protocol in SQL Server Network Configuration.

Dumbhead answered 24/10, 2014 at 7:5 Comment(0)
S
1

I can see two possibilities, 1. You are using a local system account which the server won't understand In this case, switch to a domain account.

  1. Windows authentication has different credential requirements and you might not be meeting those. In this case try changing the password to match the requirements.

It is very well possible that both are happening.

Sateia answered 25/10, 2014 at 8:25 Comment(0)
T
1

see this other SO post that describes how to connect to a SQL Server with Windows Authentication from a Linux machine through JDBC

Teishateixeira answered 26/6, 2017 at 21:2 Comment(0)
A
0

This is my NiFi setup for jTDS driver:

Database Connection URL: jdbc:jtds:sqlserver://192.168.1.189:1433;DOMAIN=domain_name

I didn't need to add useNTLMv2=true, but most people need to, so if it doesn't work you can try also: jdbc:jtds:sqlserver://192.168.1.189:1433;DOMAIN=domain_name;useNTLMv2=true

Database Driver Class Name: net.sourceforge.jtds.jdbc.Driver

Database User: domain_user_name (**without** @domain) Password: domain_password

Validation query: select 1

Arum answered 23/5, 2019 at 10:48 Comment(0)
H
0

One of the possible reasons for this error to appear is when you configure you data source to use windows authentication and SQL Server is using Extended Protection mode together with SSL (i'm not sure if SSL is required though). This mode requires the client to send additional information - signed service principal name (SPN) and channel binding token (CBT). See more information about Extended Protection Mode here. Currently both JTDS JDBC and Microsoft JDBC drivers do not support this mode. I couldn't find an official statement from JTDS, but there is an open ticket for Microsoft drivers. In order to configure Extended Protection mode, go to SQL Server Configuration Manager, select properties on SQL Server Network Configuration -> Protocols for %your instance% and change Extended Protection option.

enter image description here

Habitat answered 2/7, 2020 at 14:56 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.