Runtime: Cannot access Kerberos ticket. Ensure Kerberos has been initialized with 'kinit'.

@Unvilon When SQL server is installed locally in Windows, and you are trying access it with Integrated Authentication, NTLM will be used as Negotiation protocol, and you do not need to setup anything for it since NTLM will be handled by Windows automatically. There is nothing like NTLM in Linux though. When you access local SQL server in Linux with Integrated Authentication, Kerberos protocol will be used as Negotiation protocol, which requires you to have Kerberos ticket before making connection to the SQL server even though it resides locally. Remember SQL server is a server, and you need to provide your credential to access it no matter where you are accessing it from. The same location does not mean you can access it without authentication. You have to provide username/password or Kerberos ticket for user verification regardless your location if it is Linux.

@geleems I know it, but I has provided username/password to connect SQL server locally and it still requires a Kerberos ticket.
Also, I didn't access SQL server installed locally on Windows. I accessed SQL server installed on Linux remotely.

Is there way to connect to the server locally without Kerberos installed?

@Unvilon So, you did NOT turn on the Integrated Authentication (integrated security=false;), and provided username and password in your connection string (User ID=????;Password=????;), but you are getting error complaining about missing Kerberos ticket when you access local Linux SQL Server?
Is that the problem your are experiencing?

@geleems Exactly!
I also tried to play with another different parameters - the same result.

@Unvilon Can you provide information about your Linux environment and NET Core version for reproducing the issue? Which Linux version are you using? And which NET Core version is being used?

@geleems

Distributor ID: Debian
Description: Debian GNU/Linux 8.8 (jessie)
Release: 8.8
Codename: jessie

.NET Command Line Tools (2.0.0-preview2-006497)

Product Information:
Version: 2.0.0-preview2-006497
Commit SHA-1 hash: 06a2093335

Runtime Environment:
OS Name: debian
OS Version: 8
OS Platform: Linux
RID: debian.8-x64
Base Path: /opt/dotnet/sdk/2.0.0-preview2-006497/

Microsoft .NET Core Shared Framework Host

Version : 2.0.0-preview2-25407-01
Build : 40c565230930ead58a50719c0ec799df77bddee9

Microsoft SQL Server 2017 (CTP2.1) - 14.0.600.250 (X64)
May 10 2017 12:21:23
Copyright (C) 2017 Microsoft Corporation. All rights reserved.
Developer Edition (64-bit) on Linux (Debian GNU/Linux 8 (jessie))

@Unvilon
I tried to reproduce the issue you experienced, but I could not reproduce the issue, and all the connections I made were successful.
I tried multiple times, but could not find any issue about it.

My environment is:

• Ubuntu 16.04 LTS
• SQL Server 2017 CTP 2.1 installed in the Ubuntu
• .NET Core 2.1 build 73cc12351901873e19b905283bc727c3b5f29fe6

My test code that was running in the Ubuntu is:

public static void TestMain()
{
    string connString = @"Server=tcp:.;User ID=testuser;Password=test1234;Connect Timeout=5;Integrated Security=false";
    SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connString);
    connString = builder.ConnectionString;

    using (var connection = new SqlConnection(connString))
    {
        connection.Open();
        Console.WriteLine("Connection opened successfully!");
        Console.WriteLine("connString: "+connString);
    }
}

And Console output is:

Connection opened successfully!
connString: Data Source=tcp:.;Integrated Security=False;User ID=testuser;Password=test1234;Connect Timeout=5

@geleems I'm not able to test it using the latest build (.NET Core 2.1) due to multiple issues I could not resolve. I will respond when it is more stable.

Or can we continue investigating this issue using 2.0.0-preview2-006497 ?

@Unvilon

I tested again with .NET Core 2.0.0-preview2-006497 in Ubuntu 16.04 LTS.
I could not reproduce the issue with 2.0.0-preview2-006497 as well.

Test Code:

using System;
using System.Data.SqlClient;

namespace hwapp
{
    class Program
    {
        static void Main(string[] args)
        {
            string connString = "Server=tcp:localhost;User ID=testuser;Password=test1234;Connect Timeout=5;Integrated Security=false";
            SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connString);
            connString = builder.ConnectionString;

            using (var connection = new SqlConnection(connString))
            {
                connection.Open();
                Console.WriteLine("Connection opened successfully!");
                Console.WriteLine("connString: "+connString);
            }
        }
    }
}

Console output:

$ dotnet run
Connection opened successfully!
connString: Data Source=tcp:localhost;Integrated Security=False;User ID=testuser;Password=test1234;Connect Timeout=5

@geleems

I've found out the reason of this problem.

I used both SqlClient and Entity Framework in my application

The connection string for Entity Framework had the one extra parameter that I forgot to remove - Trusted Connection=True; When it is used to connect to the local database, it causes "Cannot access Kerberos ticket. Ensure Kerberos has been initialized with 'kinit'" exception.
For SqlClient the same parameter doesn't cause an exception.
Also Entity Framework doesn't support parameter 'Connect Timeout', that causes "Invalid value for key 'connect timeout'." exception.

So, the problem is solved. Thank you!

@Unvilon
Removing Trusted Connection=True; fixed the Kerberos problem for me too :)
Thanks!

hi
my connection string is this.
"ConnectionStrings":{
"Default":"server=localhost;database=db;user id=sa;password=mmrrJJ@2222;"
}

but I get this error

Cannot access Kerberos ticket. Ensure Kerberos has been initialized with 'kinit'. ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - An unsupported mechanism was requested (unknown mech-code 0 for mech unknown). at System.Net.Security.NegotiateStreamPal.GssInitSecurityContext(SafeGssContextHandle& context, SafeGssCredHandle credential, Boolean isNtlm, SafeGssNameHandle targetName, GssFlags inFlags, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags, Int32& isNtlmUsed) at System.Net.Security.NegotiateStreamPal.EstablishSecurityContext(SafeFreeNegoCredentials credential, SafeDeleteContext& context, String targetName, ContextFlagsPal inFlags, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, ContextFlagsPal& outFlags) at System.Data.SqlClient.SNI.SNIProxy.GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, Byte[] receivedBuff, Byte[]& sendBuff, Byte[] serverName) at System.Data.SqlClient.SNI.TdsParserStateObjectManaged.GenerateSspiClientContext(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength, Byte[] _sniSpnBuffer) at System.Data.SqlClient.TdsParser.SNISSPIData(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength)

please help.

@MansoorJafari . How did you resolve the issue..?

@geleems
my connection string is : Server= XX-XXXXXX\SHARED;Database=XXXX;Trusted_Connection=True;MultipleActiveResultSets=true" .

I am getting this error 👍

Cannot access Kerberos ticket. Ensure Kerberos has been initialized with 'kinit'.
ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - An invalid status code was supplied (SPNEGO cannot find mechanisms to negotiate).
at System.Net.Security.NegotiateStreamPal.GssInitSecurityContext(SafeGssContextHandle& context, SafeGssCredHandle credential, Boolean isNtlm, SafeGssNameHandle targetName, GssFlags inFlags, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags, Int32& isNtlmUsed)
at System.Net.Security.NegotiateStreamPal.EstablishSecurityContext(SafeFreeNegoCredentials credential, SafeDeleteContext& context, String targetName, ContextFlagsPal inFlags, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, ContextFlagsPal& outFlags)
at System.Data.SqlClient.SNI.SNIProxy.GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, Byte[] receivedBuff, Byte[]& sendBuff, Byte[] serverName)
at System.Data.SqlClient.SNI.TdsParserStateObjectManaged.GenerateSspiClientContext(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength, Byte[] _sniSpnBuffer)
at System.Data.SqlClient.TdsParser.SNISSPIData(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength)

@srini89 It clearly states above that removing Trusted_Connection=True resolves this issue.

if you have "Integrated Security=True;", remove it
My working connection string: "Data Source=tcp:.;User Id=;Password="

@Unvilon , removing trusted connection worked for me too, also remember to add a user id and password if you are using mac os at least to connect.

Hi guys,

Trusted_Connection=False; Solve for me.

My connection string:

optionsBuilder.UseSqlServer(@"Server=localhost;Database=Sorte;Trusted_Connection=False;MultipleActiveResultSets=true;User ID=SA;Password=;"); // Mac

My SQL Server is a Docker Container

PS /Users/alexsandro.pimenta/projects> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
eb197be418cc mcr.microsoft.com/mssql/server:2019-latest "/opt/mssql/bin/perm…" About an hour ago Up About an hour 0.0.0.0:1433->1433/tcp MSSQL

I just do it to up :

PS /Users/alexsandro.pimenta/projects>docker pull mcr.microsoft.com/mssql/server:2019-latest

PS /Users/alexsandro.pimenta/projects>sudo docker run --privileged -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=' -p 1433:1433 --name=MSSQL -d mcr.microsoft.com/mssql/server:2019-latest

I hope help you!

Alex Pimenta

I got the same issue, and it works simply by deleting Trusted_Connection=True; from the connection string