MSSQL Server access fails to authenticate using kerberos after 4.3 upgrade

tomtomnz · April 3, 2018, 5:04am

After updating to 4.3.0, we no longer seem able to login to our MSSQL databases. They are hosted on a Win10 machine joined to an AD (originally taken over by UCS).

The Event Viewer log on the MSSQL server show the following error messages:

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 192.168.11.99]

SSPI handshake failed with error code 0x80090308, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The token supplied to the function is invalid [CLIENT: 192.168.11.99]

We’ve tried dropping and rejoining the domain, but still have the same errors. General domain logins appear fine on all machine (including the MSSQL server), just not the MSSQL authentication.

How do I troubleshoot this?

Moritz_Bunkus · April 4, 2018, 11:31am

Hey,

other users seem to have the same or a similar issue (thread is in German):

So far we haven’t been able to pin it down, nor do we have a workaround at this point.

Kind regards,
mosu

tomtomnz · April 4, 2018, 9:20pm

I’ve been following that thread as well.

Thanks for the update mosu - appreciated.

requate · April 11, 2018, 10:58am

We are currently checking the issue and will report our results.

requate · April 11, 2018, 4:50pm

Ok, it looks like the firewall of the UCS 4.3 Samba/AD DCs is blocking TCP ports dynamically allocated by Samba 4.7. In our lab we found that similar issues with other services (RDP and share access) could be fixed by the following adjustment, so we would suggest to check if this also fixes the issues reported in this thread.

ucr set \
     security/packetfilter/package/univention-samba4/tcp/49152:65535/all="ACCEPT" \
     security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en="Dynamic RPC Ports (Samba)"

ucr unset \
     security/packetfilter/package/univention-samba4/tcp/49152/all \
     security/packetfilter/package/univention-samba4/tcp/49152/all/en

service univention-firewall restart

Please note that this needs to be adjusted on all UCS 4.3 Samba/AD DCs.

tomtomnz · April 11, 2018, 9:46pm

Many thanks team - perfect solution! Great work