locked
Connecting to SQL Server with extended protection and jdbc RRS feed

  • Question

  • I am trying to connect to a SQL server with jdbc (from linux, so no sspi available). It normally works through Kerberos without problems. The connection string looks like 

    jdbc:sqlserver://<fqdn>\<intance>:<port>;databaseName=<dbname>;authenticationScheme=JavaKerberos;integratedSecurity=true

    As soon as the server admins activate the extended protection I am getting the error:

    Msg 18452, Level 14, State 1, Login failed. The login is from an untrusted domain and cannot be used with Windows authentication

    The server log says 

    2015-05-15 09:13:12.98 Logon       SSPI handshake failed with error code 0x80090346, state 46 while establishing a connection with integrated security; the connection has been closed. Reason: The Channel Bindings from this client are missing or do not match the established Transport Layer Security (TLS) Channel. The service might be under attack, or the data provider or client operating system might need to be upgraded to support Extended Protection. Closing the connection. Client's supplied SSPI channel bindings were incorrect. 

    2015-05-15 09:13:12.98 Logon       Error: 18452, Severity: 14, State: 1.

    2015-05-15 09:13:12.98 Logon       Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. 

    What can I do?

    Friday, May 15, 2015 8:13 AM

Answers

  • SQL Server supports Extended Protection beginning with SQL Server 2008 R2. Extended Protection for Authentication is a feature of the network components implemented by the operating system. Extended Protection is supported in Windows 7 and Windows Server 2008 R2. Extended Protection is included in service packs for older Microsoft operating systems. SQL Server is more secure when connections are made using Extended Protection.

    Refer

    https://technet.microsoft.com/en-us/library/ff487261.aspx?f=255&MSPPError=-2147217396

    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/bfb86d3d-d3fb-4e18-8e45-8f6ccd31a486/channel-binding-error-when-epa-is-required-and-connection-is-encrypted?forum=sqlsecurity

    • Marked as answer by Charlie Liao Tuesday, May 26, 2015 7:01 AM
    Friday, May 15, 2015 10:08 AM