Description: I have configured a datasource for MSSQL database. The datasource uses PassthroughIdentityLoginModule. I have also created a VDB which requires kerberos authentication. I am trying to pass credentials used for authentication CLIENT <=> TEIID to datasource so they can be used for authentication TEIID <=> MSSQL. Method getConnection(..) (record in server log) is called with correct credentials, but SQLServerDriver throws an exception: initAuthInit failed privileged exception:-java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0 major string: Invalid credentials minor string: Cannot get credential from JAAS Subject for principal: default principal Some ideas, but I am only guessing: 1. I have seen same exception (on client side) if system property "javax.security.auth.useSubjectCredsOnly" is set to false on client side. As this property is set to true in the server config (<property name="javax.security.auth.useSubjectCredsOnly" value="true"/>), it is probably not passed to the driver (or is being ignored). 2. SQLServerDriver sets two system properties by default (if no kerberos configuration file is specified) useDefaultCcache = true moduleBanner = false - see https://msdn.microsoft.com/en-us/library/gg558122%28v=sql.110%29.aspx - ibm kerberos login module will try to get TGT from ticket cache ------------------------ Steps to reproduce: 0. add dependency "ibm.jdk" to module org.jboss.security.negotiation (https://issues.jboss.org/browse/TEIID-3416) 1. start Teiid 2. adapt set-up-mssql-ibm.cli and run it to configure Teiid 3. deploy VDBs 4. connect to Teiid and run query SELECT "user" FROM us ------------------------ Additional information: I have tried static kerberos configuration for same DS and there was no problem with it.
Created attachment 1014225 [details] Configuration file
Created attachment 1014226 [details] VDB for static configuration
Created attachment 1014227 [details] VDB for pass-through authentication
Same problem with Impala (pass-through). But in this case even static configuration does not work. Static configuration error: ERROR [org.apache.thrift.transport.TSaslTransport] (Worker1_QueryProcessorQueue1) SASL negotiation failure: javax.security.sasl.SaslException: Final handshake failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Input max size 0 less than computed required size 53]
Additional info to Comment 4: IBM jdk is not supported - http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/pcm_jdk_cdh_cm.html
Release note errata - in progress.
Release note draft completed. Assigning back to Van for engineering.
Steven Hawkins <shawkins> updated the status of jira TEIID-3425 to Resolved