Tedious: Windows Authentication issue to SQL 2014

Created on 13 Feb 2015  路  28Comments  路  Source: tediousjs/tedious

New to tedious and just trying to sort this out of getting a windows auth connection to SQL Server 2014-

Tedious package version: 1.9.0
node version 12

// config setup
var config = {
userName: "User",
password: "MyPass",
server: "MyServer",
domain: "MyDomian",
options: {
database: "myDb"
},
debug: {
packet: true,
data: true,
payload: true,
token: true,
log: true
}
};

I have verified that I am able to connect to my 1433 port, and for testing this is a SQL server running locally.

Stack Trace:
D:\Development\Node\node-sql\index.js:25
throw err;
^
ConnectionError: Login failed.
The login is from an untrusted domain and cannot be used with
Windows authentication.
at Parser.
(D:\Development\Node\node-sql\node_modules\tedious\lib\connection.js:447:37)
at Parser.emit (events.js:107:17)
at Parser.nextToken
(D:\Development\Node\node-sql\node_modules\tedious\lib\token\token-stream-parser.js:91:18)
at Parser.addBuffer
(D:\Development\Node\node-sql\node_modules\tedious\lib\token\token-stream-parser.js:68:17)
at Connection.sendDataToTokenStreamParser
(D:\Development\Node\node-sql\node_modules\tedious\lib\connection.js:879:35)
at Connection.STATE.SENT_NTLM_RESPONSE.events.data
(D:\Development\Node\node-sql\node_modules\tedious\lib\connection.js:226:23)
at Connection.dispatchEvent
(D:\Development\Node\node-sql\node_modules\tedious\lib\connection.js:742:59)
at MessageIO.
(D:\Development\Node\node-sql\node_modules\tedious\lib\connection.js:670:22)
at MessageIO.emit (events.js:107:17)
at MessageIO.eventData
(D:\Development\Node\node-sql\node_modules\tedious\lib\message-io.js:56:12)

Any push in the right direction appreciated.

feature-request

Most helpful comment

@arthurschreiber @arobson OMG it finally works!!! Thank you guys so much for your timely supports!!! So here is my final configuration:

var config = {
    "userName": "user.name",
    "password": "password",
    "server": "servername",
    "domain": "DOMAIN_NAME_CAPITALIZED_AND_NOT_FQDM",
    "options": {
        "encrypt": false
    }
};

I'm using SQL Server 2008 R2 on a Virtual Machine. The script is on the same server that hosts the database.

It would be great if you can add this to a documentation somewhere

All 28 comments

As far as I can tell, the fixes that I PR'd haven't made it into a release yet. The error message you are seeing lines up with what we got trying to connect to our SQL servers on an AD with certain security restrictions in place. My first pass at adding NTLM support didn't account for this but the newly merged behavior should. Have you tried NPM installing this lib from the master branch?

So I pulled in the latest from the master branch, and compiled it locally since npm actually left out the lib folder - but still no joy. Compiled this with coffee 1.9 which did compile a little differently then coffee 1.7 which is what is on npm.

I will continue this in a bit - any other ideas?

I was able to get this working with SQL Auth on Azure, but still unable to get this working with windows Auth, - I tried with the current source that has changes not in the npm, but that was still not working but it could be because of my lack of experience with building coffee scripts -

using coffee version 1.9 - ran the following against the source.
coffee --copile --output lib src and then put the compiled libs in place in the node_modules/tedious but still no go -

Can you try the 1.10.0 release?

I am experiencing the same issue with the latest version of tedious. I have provided the name of the workstation, but still get the same "The login is from an untrusted domain and cannot be used with Windows authentication."

Is there something I am missing regarding domain setup that will allow me to authenticate a Windows domain user from a computer not part of the domain? I am trying to authenticate a domain user from an Ubuntu 14.04 instance to SQL Server 2014 on Windows 2012 R2 Server.

@arobson In another comment you said that you were experiencing this same issue and after your PR was merged you were able to authenticate successfully in production. Was there something you had to do outside of tedious?

Are you still encountering this issue with the latest tedious releases?

@arthurschreiber I just tried and I am still experiencing the "The login is from an untrusted domain and cannot be used with Windows authentication." error message.

It seemed that @arobson had a solution, but I can't find it anywhere.

Any help on what options I should be using to connect to our SQL 2014 instance with domain credentials would be greatly appreciated.

Having this issue as well. I am able to login with a SQL user, but not with Windows authorization, unfortunately my db team will not allow a permanent SQL user so it needs to use Windows auth. These are my config options:

var config = {
server: 'SERVERNAME',
userName: user',
password: 'password',
domain: 'FQDN.DOMAIN.COM'
,options: {
debug: {
packet: true,
data: true,
payload: true,
token: false,
log: true
},
database: 'DB_NAME'
}
};

This is the error I am getting:

{ [ConnectionError: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.]
name: 'ConnectionError',
message: 'Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.',
code: 'ELOGIN' }
{ [RequestError: Requests can only be made in the LoggedIn state, not the SentNTLMResponse state]
name: 'RequestError',
message: 'Requests can only be made in the LoggedIn state, not the SentNTLMResponse state',
code: 'EINVALIDSTATE' }
{ [ConnectionError: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.]
name: 'ConnectionError',
message: 'Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.',
code: 'ELOGIN' }
{ [RequestError: Requests can only be made in the LoggedIn state, not the SentNTLMResponse state]
name: 'RequestError',
message: 'Requests can only be made in the LoggedIn state, not the SentNTLMResponse state',
code: 'EINVALIDSTATE' }

Is there an issue with my config?

No, I don't think it's an issue with your config. I'll need to get SQL Server 2014 installed on my machine and see what is causing this. Maybe something changed in the authentication scheme and we don't support that yet.

I'll see what I can do.

@jgornick @stefanTHD - here are a few quirks I've noticed in our environments. NTLM has been working for us from Linux boxes outside the AD against 2012 and 2014 even with very strict policies in place that prevent less secure NTLM features.

1 - Don't use the FQDN in the domain property. If it's "company.com", use "COMPANY"
2 - Capitalization seems to matter as well. We've had success with all-cap domain names
3 - _Don't_ use a qualified user name (i.e. "[email protected]") just "user.name"

FYI

NTLM documentation is old and not provided by Microsoft. I had to do a lot of poking around for certain binary flags because the doc I found didn't explain what some of them were for. My first PR only worked for NTLM against SQL Server on workstations for us because our AD had a policy that disabled some of the NTLM features.

Next Steps

If the 3 tips above don't work, it would be tremendously helpful if you could find the failed log in entries via Even Viewer / SQL Logs. The "untrusted domain" is actually a generic error that MSFT provides to make it harder for an attacker to know why their request was rejected. You can even google for that error and find other OSS libs trying to support NTLM complaining that that error is misleading.

I'd like to help you resolve this, Tedious is great and @arthurschreiber's recent contributions have made it even better.

NTLM authentication is described in the MS-NLMP documentation from Microsoft. I'll see if I can find some time to read through it and compare it with what's implemented so far in tedious.

@arthurschreiber @arobson OMG it finally works!!! Thank you guys so much for your timely supports!!! So here is my final configuration:

var config = {
    "userName": "user.name",
    "password": "password",
    "server": "servername",
    "domain": "DOMAIN_NAME_CAPITALIZED_AND_NOT_FQDM",
    "options": {
        "encrypt": false
    }
};

I'm using SQL Server 2008 R2 on a Virtual Machine. The script is on the same server that hosts the database.

It would be great if you can add this to a documentation somewhere

Cool! The fact that NTLM auth does not work with encryption is a bug in the code, and I'll provide a fix soon (If I can find some time for that).

Indeed, capitalizing the domain does solve the issue!

https://github.com/pekim/tedious/pull/367 Is a fix for the NTLM auth not working with encryption.

Is this discussion referring to using Windows Authentication from Linux? For example RedHat?

@pisees Yes, I am connecting from Fedora 22 to SQL server using Windows Auth with encryption with the fix.

I had the exact same issue with @NamTThai , and it is working now after I read this and changed the domain as described. (All Cap and only the first part of the domain, omit the part after the dot)

I'm with Microsoft and looking to help out with some contributions to tedious.
Anything still outstanding with this issue or is it all resolved?

@tvrprasad I think there is a work around, I am not sure we all understand why the workaround works. :)

@benzou Is the work-around the one described by @arobson in this thread on 8/15?
What's blocking this issue from being closed? May be I can help close this... somehow :)

@tvrprasad I think we need better documentation around this.

We have our documentation stored in the gh-pages branch of this repo, but as it is maintained outside of the code base, it gets outdated quite easily and maintenance is a drag. 馃槥

@tvrprasad - the issues that have been reported to tedious and to our repo seriate since I added NTLM support, have consistently been due to the domain being spec'd lowercase and/or as FQDN. One solution for this might be following up with a PR that:

  1. converts the domain to uppercase (I should have just done that to begin with)
  2. splits the domain on . and only uses the first segment

I'm certainly not an NTLM expert but we're fans of MSSQL and Node and really needed this so I dove into NTLM documentation and other implementations to get this in place with some help from our operations team to test against a number of SQL Server versions so we could be relatively confident about the implementation. Any analysis and improvements you can provide over what's there would be awesome. There's no telling what I may have missed since the documentation I followed was from 2007 馃槃

Let me know if there are specific questions I can answer about the NTLM bit.

@arobson - FDQN seems to work for me, still only upper case though. I created a separate issue to convert to upper case for easy tracking - https://github.com/tediousjs/tedious/issues/414. I'll put together a PR for that. I'll try to learn why lower case doesn't work.

@arthurschreiber - I'll try to help out with getting documentation up to date once I'm able to get at least one PR through on this topic so I have a better understanding. If there are other areas where documentation is lacking, let me know. I'll try to help out.

I opened a couple of other issues related to authentication. I'd appreciate thoughts on those.
https://github.com/tediousjs/tedious/issues/415
https://github.com/tediousjs/tedious/issues/416

Folks - I have a PR out for implementation of Windows Integrated Authentication - https://github.com/tediousjs/tedious/pull/497. This does not require username or password and uses the login credentials of the user.

If you're able to try it and give feedback, I'll very much appreciate it. I'm looking forward to working with the community to land the feature.

hello if anyone can help me I have tried to connect in MS SQL Server database 12 used mssql node 4.1, I already tried a lot of thing, but does not connect

my connection has it conformed below:

x

I try:

const stringConnect = 'Server = ADMIN-CCE \ admin: 1433; Database = GRD; User id = admin-cce \ admin; '
DATABASE.connect (stringConnect)
.then (conn => {
global.conn = conn;
console.log ('connected to the GRD');
})
聽聽聽聽.catch (err => console.error (connection error mssql $ {stringConnect} - $ {err}));

module.exports = DATABASE;

* RETURN ERROR **
mssql connection error Server = ADMIN-CCE \ admin: 1433; Database = GRD; User id = admin-cce \ admin; - ConnectionError: Port for admin: 1433 not found in ADMIN-CCE

already tried other ways, also without success! Look:

var config = {
server: "ADMIN-CCE \ MSSQLSERVER",
聽聽聽聽database: "GRD",
聽聽聽聽port: 1433,
聽聽聽聽user: 'admin-cce \ admin',
聽聽聽聽聽聽聽聽debug: true,
聽聽聽聽聽聽聽聽options: {
聽聽聽聽聽聽聽聽encrypt: false,
聽聽聽聽聽聽聽聽trustedConnection: true
聽聽聽聽聽聽聽聽}
};

DATABASE.connect (config, function (err) {
聽聽聽聽if (err)
聽聽聽聽{
聽聽聽聽聽聽聽聽console.log (err)
聽聽聽聽}
聽聽聽聽else
聽聽聽聽聽聽聽聽console.log ('connected .....')
});

module.exports = DATABASE;

* RETURNS ERROR *
message:
聽聽聽聽聽聽'Failed to connect to ADMIN-CCE: undefined - Could not connect (sequence)',
聽聽聽聽聽code: 'ESOCKET'},
聽聽name: 'ConnectionError'}

Hey @allexon, tedious doesn't support Windows Integrated Authentication yet, details are in https://github.com/tediousjs/tedious/issues/660.

does tedious support SQL server windows authentication yet?

Was this page helpful?
0 / 5 - 0 ratings