1331742 – MSSQL JDBC driver invalidates kerberos ticket on Connection.close()

Bug 1331742 - MSSQL JDBC driver invalidates kerberos ticket on Connection.close()

Summary: MSSQL JDBC driver invalidates kerberos ticket on Connection.close()

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Data Virtualization 6
Classification:	JBoss
Component:	Teiid
Sub Component:
Version:	6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	CR1
Target Release:	6.3.0
Assignee:	Van Halbert
QA Contact:	Juraj Duráni
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-29 12:26 UTC by Juraj Duráni
Modified:	2016-08-24 11:36 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-08-24 11:36:44 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	TEIID-4183	0	Major	Closed	MSSQL JDBC driver invalidates kerberos ticket on Connection.close()	2019-06-20 08:04:27 UTC

Description Juraj Duráni 2016-04-29 12:26:59 UTC

MSSQL JDBC driver invalidate kerberos ticket on Connection.close() (related bugzilla [1]).
If user creates kerberos connection, driver invalidates ticket on closing connection (Connection.close()). Therefore ticket cannot be re-used. EAP team creates a workaround for this by adding module option 'wrapGSSCredential=true' with additional setting 'credentialLifetime=-1' [2, 3, 4, 5]. This works for static kerberos authentication.
However, passthrough authentication (org.teiid.jboss.PassthroughIdentityLoginModule) does not work, because passed ticket is not managed by EAP but by client.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1097276
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1097276#c58
[3] https://issues.jboss.org/browse/SECURITY-905
[4] https://issues.jboss.org/browse/JBEAP-843
[5] https://github.com/wildfly-security/jboss-negotiation/commit/0c7e06f58a79855d5ae2fbe6cb662e90baf7a5d4

Steps to reproduce:
1. run query
2. flush connection (in CLI - /subsystem=datasource/data-source=<ds>:flush-all-connection-in-pool)
3. run query again

Comment 1 JBoss JIRA Server 2016-05-10 21:43:48 UTC

Ramesh Reddy <rareddy> updated the status of jira TEIID-4183 to Resolved

Comment 2 Juraj Duráni 2016-06-15 12:53:10 UTC

Additional option "wrapGSSCredential=true" for login module org.teiid.jboss.PassthroughIdentityLoginModule is supposed to be a workaround. But Teiid/MSSQL driver throws exception [1] with that option. Setting to assigned.

[1]
org.teiid.jdbc.TeiidSQLException: TEIID30498 Remote org.teiid.api.exception.query.QueryPlannerException: TEIID30498 Capabilities for BQT were not available.  The command could not be planned properly.
	at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:135)
	at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:71)
	at org.teiid.jdbc.StatementImpl.postReceiveResults(StatementImpl.java:706)
	at org.teiid.jdbc.StatementImpl.access$100(StatementImpl.java:64)
	at org.teiid.jdbc.StatementImpl$2.onCompletion(StatementImpl.java:545)
	at org.teiid.client.util.ResultsFuture.done(ResultsFuture.java:135)
	at org.teiid.client.util.ResultsFuture.access$200(ResultsFuture.java:40)
	at org.teiid.client.util.ResultsFuture$1.receiveResults(ResultsFuture.java:79)
	at org.teiid.net.socket.SocketServerInstanceImpl.receivedMessage(SocketServerInstanceImpl.java:268)
	at org.teiid.net.socket.SocketServerInstanceImpl.read(SocketServerInstanceImpl.java:306)
	at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.teiid.net.socket.SocketServerConnectionFactory$ShutdownHandler.invoke(SocketServerConnectionFactory.java:98)
	at com.sun.proxy.$Proxy6.read(Unknown Source)
	at org.teiid.net.socket.SocketServerInstanceImpl$RemoteInvocationHandler$1.get(SocketServerInstanceImpl.java:405)
	at org.teiid.jdbc.StatementImpl.executeSql(StatementImpl.java:554)
	at org.teiid.jdbc.PreparedStatementImpl.execute(PreparedStatementImpl.java:241)
	at org.jboss.dv.qe.kerberos.Utils.executePerformanceTest(Utils.java:88)
	at org.jboss.dv.qe.kerberos.MSSQLKerberosTest.performanceTest(MSSQLKerberosTest.java:232)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
	at org.testng.internal.Invoker.invokeMethod(Invoker.java:714)
	at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:901)
	at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1231)
	at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:127)
	at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:111)
	at org.testng.TestRunner.privateRun(TestRunner.java:767)
	at org.testng.TestRunner.run(TestRunner.java:617)
	at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
	at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
	at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
	at org.testng.SuiteRunner.run(SuiteRunner.java:240)
	at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
	at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
	at org.testng.TestNG.runSuitesSequentially(TestNG.java:1198)
	at org.testng.TestNG.runSuitesLocally(TestNG.java:1123)
	at org.testng.TestNG.run(TestNG.java:1031)
	at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:70)
	at org.apache.maven.surefire.testng.TestNGDirectoryTestSuite.execute(TestNGDirectoryTestSuite.java:108)
	at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:111)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:164)
	at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:110)
	at org.apache.maven.surefire.booter.SurefireStarter.invokeProvider(SurefireStarter.java:172)
	at org.apache.maven.surefire.booter.SurefireStarter.runSuitesInProcessWhenForked(SurefireStarter.java:104)
	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:70)
Caused by: org.teiid.core.TeiidProcessingException: TEIID30498 Remote org.teiid.api.exception.query.QueryPlannerException: TEIID30498 Capabilities for BQT were not available.  The command could not be planned properly.
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertNode(PlanToProcessConverter.java:326)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:143)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:147)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convertPlan(PlanToProcessConverter.java:159)
	at org.teiid.query.optimizer.relational.PlanToProcessConverter.convert(PlanToProcessConverter.java:120)
	at org.teiid.query.optimizer.relational.RelationalPlanner.optimize(RelationalPlanner.java:228)
	at org.teiid.query.optimizer.QueryOptimizer.optimizePlan(QueryOptimizer.java:159)
	at org.teiid.dqp.internal.process.Request.generatePlan(Request.java:442)
	at org.teiid.dqp.internal.process.PreparedStatementRequest.generatePlan(PreparedStatementRequest.java:119)
	at org.teiid.dqp.internal.process.Request.processRequest(Request.java:470)
	at org.teiid.dqp.internal.process.PreparedStatementRequest.processRequest(PreparedStatementRequest.java:294)
	at org.teiid.dqp.internal.process.RequestWorkItem.processNew(RequestWorkItem.java:642)
	at org.teiid.dqp.internal.process.RequestWorkItem.process(RequestWorkItem.java:337)
	at org.teiid.dqp.internal.process.AbstractWorkItem.run(AbstractWorkItem.java:51)
	at org.teiid.dqp.internal.process.RequestWorkItem.run(RequestWorkItem.java:274)
	at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
	at org.teiid.dqp.internal.process.ThreadReuseExecutor$RunnableWrapper.run(ThreadReuseExecutor.java:119)
	at org.teiid.dqp.internal.process.ThreadReuseExecutor$3.run(ThreadReuseExecutor.java:210)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:744)
Caused by: org.teiid.core.TeiidException: TEIID11009 Remote org.teiid.translator.TranslatorException: TEIID11009 java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb
	at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:274)
	at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68)
	at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202)
	at org.teiid.dqp.internal.datamgr.ConnectorManager.buildCapabilities(ConnectorManager.java:179)
	at org.teiid.dqp.internal.datamgr.ConnectorManager.getCapabilities(ConnectorManager.java:163)
	at org.teiid.dqp.internal.process.CachedFinder.findCapabilities(CachedFinder.java:108)
	at org.teiid.query.metadata.TempCapabilitiesFinder.findCapabilities(TempCapabilitiesFinder.java:78)
	at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.getCapabilities(CapabilitiesUtil.java:439)
	at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.supports(CapabilitiesUtil.java:459)
	at org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.requiresCriteria(CapabilitiesUtil.java:444)
	at org.teiid.query.optimizer.relational.rules.RulePlaceAccess.addAccessNode(RulePlaceAccess.java:196)
	at org.teiid.query.optimizer.relational.rules.RulePlaceAccess.execute(RulePlaceAccess.java:86)
	at org.teiid.query.optimizer.relational.RelationalPlanner.executeRules(RelationalPlanner.java:859)
	at org.teiid.query.optimizer.relational.RelationalPlanner.optimize(RelationalPlanner.java:226)
	... 15 more
Caused by: java.sql.SQLException: Remote java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb
	at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:151)
	at org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270)
	... 28 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/SQL2012_Krb
	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:410)
	at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:367)
	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:499)
	at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
	... 29 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: IJ000658: Unexpected throwable while trying to create a connection: null
	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:454)
	at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:457)
	at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:429)
	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:344)
	... 32 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote javax.resource.ResourceException: Could not create connection
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:351)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.access$200(LocalManagedConnectionFactory.java:60)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory$1.run(LocalManagedConnectionFactory.java:274)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory$1.run(LocalManagedConnectionFactory.java:265)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:264)
	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:858)
	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:413)
	... 35 more
Caused by: java.sql.SQLException: Remote com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:b0e4955c-f233-4ee3-b609-2929d8f6a169
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1667)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:176)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:268)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:2691)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:2234)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:41)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:2220)
	at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1715)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1326)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:991)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:827)
	at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:323)
	... 43 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote java.security.PrivilegedActionException: null
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.getClientCredential(KerbAuthentication.java:199)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:150)
	... 55 more
Caused by: org.teiid.core.TeiidRuntimeException: Remote org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
	at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193)
	at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427)
	at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:62)
	at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication$1.run(KerbAuthentication.java:189)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication$1.run(KerbAuthentication.java:187)
	... 59 more

Comment 3 Juraj Duráni 2016-06-15 13:14:07 UTC

Setting blocker to ?. With workaround every query fails. With out workaround, user cannot use connection poll properly.

Comment 4 JBoss JIRA Server 2016-06-15 14:56:54 UTC

Van Halbert <vhalbert> updated the status of jira TEIID-4183 to Reopened

Comment 6 JBoss JIRA Server 2016-06-28 00:48:11 UTC

Ramesh Reddy <rareddy> updated the status of jira TEIID-4183 to Resolved

Comment 7 Juraj Duráni 2016-08-01 11:41:02 UTC

Basic configuration (no wrapping, no cache) did not pass [1].

[1] https://issues.jboss.org/browse/TEIID-4183?focusedCommentId=13273356&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13273356

Comment 8 JBoss JIRA Server 2016-08-01 13:20:45 UTC

Ramesh Reddy <rareddy> updated the status of jira TEIID-4183 to Reopened

Comment 12 JBoss JIRA Server 2016-08-11 12:19:44 UTC

Steven Hawkins <shawkins> updated the status of jira TEIID-4183 to Closed

Note You need to log in before you can comment on or make changes to this bug.