Bug 1331742 - MSSQL JDBC driver invalidates kerberos ticket on Connection.close()
Summary: MSSQL JDBC driver invalidates kerberos ticket on Connection.close()
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Data Virtualization 6
Classification: JBoss
Component: Teiid
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: CR1
: 6.3.0
Assignee: Van Halbert
QA Contact: Juraj Duráni
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-29 12:26 UTC by Juraj Duráni
Modified: 2016-08-24 11:36 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The MSSQL JDBC driver invalidates an active kerberos ticket on Connection.close(). As a result, if the user creates kerberos connection, the driver invalidates the ticket when the connection is closed and, therefore, the ticket cannot be re-used. The EAP team created a workaround for this by adding the module option 'wrapGSSCredential=true' with the additional setting 'credentialLifetime=-1'. This works for static kerberos authentication. To make the PassthroughIdentityLoginModule (PTILM) work, you need to add an additional module option for PTILM 'wrapGSSCredential' and set it to 'true' (the default is 'false').
Clone Of:
Environment:
Last Closed: 2016-08-24 11:36:44 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker TEIID-4183 0 Major Closed MSSQL JDBC driver invalidates kerberos ticket on Connection.close() 2019-06-20 08:04:27 UTC

Description Juraj Duráni 2016-04-29 12:26:59 UTC 
MSSQL JDBC driver invalidate kerberos ticket on Connection.close() (related bugzilla [1]).
If user creates kerberos connection, driver invalidates ticket on closing connection (Connection.close()). Therefore ticket cannot be re-used. EAP team creates a workaround for this by adding module option 'wrapGSSCredential=true' with additional setting 'credentialLifetime=-1' [2, 3, 4, 5]. This works for static kerberos authentication.
However, passthrough authentication (org.teiid.jboss.PassthroughIdentityLoginModule) does not work, because passed ticket is not managed by EAP but by client.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1097276
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1097276#c58
[3] https://issues.jboss.org/browse/SECURITY-905
[4] https://issues.jboss.org/browse/JBEAP-843
[5] https://github.com/wildfly-security/jboss-negotiation/commit/0c7e06f58a79855d5ae2fbe6cb662e90baf7a5d4

Steps to reproduce:
1. run query
2. flush connection (in CLI - /subsystem=datasource/data-source=<ds>:flush-all-connection-in-pool)
3. run query again
Comment 1 JBoss JIRA Server 2016-05-10 21:43:48 UTC 
Ramesh Reddy <rareddy> updated the status of jira TEIID-4183 to Resolved
Comment 2 Juraj Duráni 2016-06-15 12:53:10 UTC 
Additional option "wrapGSSCredential=true" for login module org.teiid.jboss.PassthroughIdentityLoginModule is supposed to be a workaround. But Teiid/MSSQL driver throws exception [1] with that option. Setting to assigned.

[1]
org.teiid.jdbc.TeiidSQLException: TEIID30498 Remote org.teiid.api.exception.query.QueryPlannerException: TEIID30498 Capabilities for BQT were not available.  The command could not be planned properly.
	at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:135)
	at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:71)
	at org.teiid.jdbc.StatementImpl.postReceiveResults(StatementImpl.java:706)
	at org.teiid.jdbc.StatementImpl.access$100(StatementImpl.java:64)
	at org.teiid.jdbc.StatementImpl$2.onCompletion(StatementImpl.java:545)
	at org.teiid.client.util.ResultsFuture.done(ResultsFuture.java:135)
	at org.teiid.client.util.ResultsFuture.access$200(ResultsFuture.java:40)
	at org.teiid.client.util.ResultsFuture$1.receiveResults(ResultsFuture.java:79)
	at org.teiid.net.socket.SocketServerInstanceImpl.receivedMessage(SocketServerInstanceImpl.java:268)
	at org.teiid.net.socket.SocketServerInstanceImpl.read(SocketServerInstanceImpl.java:306)
	at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.teiid.net.socket.SocketServerConnectionFactory$ShutdownHandler.invoke(SocketServerConnectionFactory.java:98)
	at com.sun.proxy.$Proxy6.read(Unknown Source)
	at org.teiid.net.socket.SocketServerInstanceImpl$RemoteInvocationHandler$1.get(SocketServerInstanceImpl.java:405)
	at org.teiid.jdbc.StatementImpl.executeSql(StatementImpl.java:554)
	at org.teiid.jdbc.PreparedStatementImpl.execute(PreparedStatementImpl.java:241)
	at org.jboss.dv.qe.kerberos.Utils.executePerformanceTest(Utils.java:88)
	at org.jboss.dv.qe.kerberos.MSSQLKerberosTest.performanceTest(MSSQLKerberosTest.java:232)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
	at org.testng.internal.Invoker.invokeMethod(Invoker.java:714)
	at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:901)
	at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1231)
	at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:127)
	at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:111)
	at org.testng.TestRunner.privateRun(TestRunner.java:767)
	at org.testng.TestRunner.run(TestRunner.java:617)
	at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
	at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
	at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
	at org.testng.SuiteRunner.run(SuiteRunner.java:240)
	at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
	at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
	at org.testng.TestNG.runSuitesSequentially(TestNG.java:1198)
	at org.testng.TestNG.runSuitesLocally(TestNG.java:1123)
	at org.testng.TestNG.run(TestNG.java:1031)
	at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:70)
	at org.apache.maven.surefire.testng.TestNGDirectoryTestSuite.execute(TestNGDirectoryTestSuite.java:108)
	at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:111)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:164)
	at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:110)
	at org.apache.maven.surefire.booter.SurefireStarter.invokeProvider(SurefireStarter.java:172)
	at org.apache.maven.surefire.booter.SurefireStarter.runSuitesInProcessWhenForked(SurefireStarter.java:104)
	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:70)
Caused by: org.teiid.core.TeiidProcessingException: TEIID30498 Remote org.teiid.api.exception.query.QueryPlannerException: TEIID30498 Capabilities for BQT were not available.  The command could not be planned properly.
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertNode(PlanToProcessConverter.java:326)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:143)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:147)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convert(PlanToProcessConverter.java:120)
	at org.teiid.query.optimizer.relational.RelationalPlanner.optimize(RelationalPlanner.java:228)
	at org.teiid.query.optimizer.QueryOptimizer.optimizePlan(QueryOptimizer.java:159)
	at org.teiid.dqp.internal.process.Request.generatePlan(Request.java:442)
	at org.teiid.dqp.internal.process.PreparedStatementRequest.generatePlan(PreparedStatementRequest.java:119)
	at org.teiid.dqp.internal.process.Request.processRequest(Request.java:470)
	at org.teiid.dqp.internal.process.PreparedStatementRequest.processRequest(PreparedStatementRequest.java:294)
	at org.teiid.dqp.internal.process.RequestWorkItem.processNew(RequestWorkItem.java:642)
	at org.teiid.dqp.internal.process.RequestWorkItem.process(RequestWorkItem.java:337)
	at org.teiid.dqp.internal.process.AbstractWorkItem.run(AbstractWorkItem.java:51)
	at org.teiid.dqp.internal.process.RequestWorkItem.run(RequestWorkItem.java:274)
	at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
	at org.teiid.dqp.internal.process.ThreadReuseExecutor$RunnableWrapper.run(ThreadReuseExecutor.java:119)
	at org.teiid.dqp.internal.process.ThreadReuseExecutor$3.run(ThreadReuseExecutor.java:210)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:744)
Caused by: org.teiid.core.TeiidException: TEIID11009 Remote org.teiid.translator.TranslatorException: TEIID11009 java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb
	at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:274)
	at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68)
	at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202)
	at org.teiid.dqp.internal.datamgr.ConnectorManager.buildCapabilities(ConnectorManager.java:179)
	at org.teiid.dqp.internal.datamgr.ConnectorManager.getCapabilities(ConnectorManager.java:163)
	at org.teiid.dqp.internal.process.CachedFinder.findCapabilities(CachedFinder.java:108)
	at org.teiid.query.metadata.TempCapabilitiesFinder.findCapabilities(TempCapabilitiesFinder.java:78)
	at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.getCapabilities(CapabilitiesUtil.java:439)
	at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.supports(CapabilitiesUtil.java:459)
	at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.requiresCriteria(CapabilitiesUtil.java:444)
	at org.teiid.query.optimizer.relational.rules.RulePlaceAccess.addAccessNode(RulePlaceAccess.java:196)
	at org.teiid.query.optimizer.relational.rules.RulePlaceAccess.execute(RulePlaceAccess.java:86)
	at org.teiid.query.optimizer.relational.RelationalPlanner.executeRules(RelationalPlanner.java:859)
	at org.teiid.query.optimizer.relational.RelationalPlanner.optimize(RelationalPlanner.java:226)
	... 15 more
Caused by: java.sql.SQLException: Remote java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb
	at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:151)
	at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270)
	... 28 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb
	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:410)
	at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:367)
	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:499)
	at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
	... 29 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: IJ000658: Unexpected throwable while trying to create a connection: null
	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:454)
	at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:457)
	at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:429)
	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:344)
	... 32 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: Could not create connection
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:351)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.access$200(LocalManagedConnectionFactory.java:60)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory$1.run(LocalManagedConnectionFactory.java:274)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory$1.run(LocalManagedConnectionFactory.java:265)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:264)
	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:858)
	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:413)
	... 35 more
Caused by: java.sql.SQLException: Remote com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:b0e4955c-f233-4ee3-b609-2929d8f6a169
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1667)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:176)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:268)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:2691)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:2234)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:41)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:2220)
	at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1715)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1326)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:991)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:827)
	at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:323)
	... 43 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote java.security.PrivilegedActionException: null
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.getClientCredential(KerbAuthentication.java:199)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:150)
	... 55 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
	at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193)
	at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427)
	at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:62)
	at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication$1.run(KerbAuthentication.java:189)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication$1.run(KerbAuthentication.java:187)
	... 59 more
Comment 3 Juraj Duráni 2016-06-15 13:14:07 UTC 
Setting blocker to ?. With workaround every query fails. With out workaround, user cannot use connection poll properly.
Comment 4 JBoss JIRA Server 2016-06-15 14:56:54 UTC 
Van Halbert <vhalbert> updated the status of jira TEIID-4183 to Reopened
Comment 6 JBoss JIRA Server 2016-06-28 00:48:11 UTC 
Ramesh Reddy <rareddy> updated the status of jira TEIID-4183 to Resolved
Comment 7 Juraj Duráni 2016-08-01 11:41:02 UTC 
Basic configuration (no wrapping, no cache) did not pass [1].

[1] https://issues.jboss.org/browse/TEIID-4183?focusedCommentId=13273356&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13273356
Comment 8 JBoss JIRA Server 2016-08-01 13:20:45 UTC 
Ramesh Reddy <rareddy> updated the status of jira TEIID-4183 to Reopened
Comment 12 JBoss JIRA Server 2016-08-11 12:19:44 UTC 
Steven Hawkins <shawkins> updated the status of jira TEIID-4183 to Closed
Note You need to log in before you can comment on or make changes to this bug.