Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/24/2024 01:19 PM - last edited on 05/24/2024 01:50 PM by Dave
Hi Saviynt Product Team
We have a MS SQL target DB and have setup Saviynt OOTB DB connector. When we are trying to connect the DB with AD service accounts, the connectivity fails.
We followed this link has the steps to configure Saviynt to use AD based service account that uses Kerberos, and this is our case. – Section Connecting Active Directory Domain Accounts with MS SQL Database using Kerberos
https://docs.saviyntcloud.com/bundle/Database-v23x/page/Content/Appendix.htm#top
Attached krb5.txt and krb5.keytab file in the below incident:
[#2028860] DB Connector - Login failed for user svc_xxxxx : Saviynt Inc
and we need saviynt server team assistance to complete the next steps at server end.
But the agent working on the incident has requested to create a forum post , so the product team will assist us to perform the next steps.
Awaiting from your team to work and finish this setup, and then we can complete the connector setup.
Thanks,
Sangita Ladi
Update:
We have tested both the below URL as requested by the support agent and it did not work. We have the corresponding logs in case you need.
[This post has been edited by a Moderator to merge two posts.]
05/24/2024 02:05 PM
Hello @sangitaladi
I am one of the moderators on the Saviynt Community Forums (forums.saviynt.com) and I noticed a few things about your post that I wanted to clarify.
First, you addressed your forum post to "Hi Saviynt Product Team" -- Close to 99% of the questions asked on the Saviynt Community Forums are answered by Saviynt users just like you.
The Saviynt Community Forums is a place where Saviynt partners, customers, and employees can brainstorm together and help solve difficult how-to questions.
That is probably why the support agent referred you to the forums, if you are asking a "how-to" question.
If there is any setup or configuration that Saviynt needs to do on the backend, that all needs to happen on the ticket, not here.
More information on requesting a service can be found here:
https://forums.saviynt.com/t5/announcements/introducing-our-new-quot-request-a-service-quot-feature-...
I hope that will help clarify things. And if your question is a "how-to" question, I am sure one of our forum users will jump in to share their expertise.
Best regards,
Dave
05/24/2024 02:55 PM
There is no dependency with saviynt support on this issue in EIC . You need to upload files on file directory - connector files and restart services
05/27/2024 09:22 AM - last edited on 05/27/2024 10:04 AM by Sunil
Hi
As per the DB connector guide, there are several files that are required to be configured on Saviynt side. Here are the files
jeytab file, krb5.conf, SQLJDBCDriver.conf, Update the JDBC driver to mssql-jdbc-7.0.0.jre10.jar
Here is the link for the steps:
https://docs.saviyntcloud.com/bundle/Database-v23x/page/Content/Appendix.htm#top
If you can go through the steps in the above link, can you confirm if we can perform these steps using Saviynt UI and dont need any help from the product team.
We have a ticket opened for this and the response we go on the ticket is this:
[This message has been edited by moderator to mask sensitive info]
05/27/2024 09:25 AM
As mentioned files needs to be uploaded in connector files .
avoid adding agent name on public forums
05/27/2024 09:51 AM
Hi
We will try uploading the necessary files in the connector folder, but who will perfrom the following steps for us? We dont have access to Saviynt servers:
05/27/2024 10:05 AM
As mentioned this is not needed in EIC and its preconfigured in EIC
05/27/2024 10:32 AM
We are at v23.1 and may go to v24.4. I dont think this is is EIC.
05/27/2024 10:33 AM
Anything beyond v2021 is EIC
05/27/2024 10:36 AM
So I am assuming v23.x or 24.x is beyond v2021 and we dont have to perform the jdbc driver jar and the Catalina startup.sh file steps.
and I assume we will need a restart once we upload the files.
We will go ahead and test the steps and document it and provide the steps here, if it works.
05/27/2024 12:32 PM
Yes we have done same and it works
05/28/2024 09:40 AM
Hi Rushikesh
I see we have the following 3 files for this setup to the configured:
krb5.keytab
krb5.conf
SQLJDBCDriver.conf
Do you want us to upload all the three files under the connector folder through Saviynt File Directory UI?
In the SQLJDBCDriver.conf file, we need to specify the path of krb5.keytab. Now this file krb5.keytab file is uploaded under connector folder, so what would be it path which I can update it in the SQLJDBCDriver.conf file file?
Tks
Sunil
05/28/2024 10:12 AM - edited 05/28/2024 10:13 AM
05/28/2024 10:22 AM - last edited on 05/28/2024 01:12 PM by Dave
Hi,
I uploaded all the 3 files under Connector Files folder:
Also the file contents for SQLJDBCDriver.conf is this:
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=false useKeyTab=true doNotPrompt=false keyTab="/saviynt_shared/saviynt/ConnectorFiles/krb5.keytab" principal="svc_SaviyntADReader@domain.com";
};
Updated the JDBCL URL and tries the test connection and it failed with this error from debug log:
"2024-05-28T17:05:01.868+00:00","ecm","provisoning.DBProvisioningService","http-nio-8080-exec-9-7sb6w","ERROR","Creating connection failed: "
"2024-05-28T17:05:02.178+00:00","ecm","","null-7sb6w","","com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:35f99f02-deef-4bbc-8156-aadef021d372 at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1667) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:140) at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:268) at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:2691) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:2234) at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:41) at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:2220) at
Any thoughts on what else is not setup properly?
[This post has been edited by a Moderator to remove sensitive information.]
05/28/2024 10:23 AM
Ask saviynt support to restart from backend
05/28/2024 12:50 PM - last edited on 05/28/2024 01:11 PM by Dave
After the Saviynt agent restarted our Saviynt from backend, we are still getting the same error.
Error While Test connection: Integrated authentication failed. ClientConnectionId:84cbf738-4cb0-4eaa-9356-5af730c25647 |
I tried different formats of the username but still same error:
svc_SaviyntADReader
svc_SaviyntADReader@domain.com
The full DN value of svc_SaviyntADReader
Anything else we can try?
[This post has been edited by a Moderator to remove sensitive information.]
05/28/2024 12:57 PM - edited 05/28/2024 01:15 PM
Username should
domain/username
url - jdbc:sqlserver://MUNTSD-S-71084.rushicom\\INS01;databaseName=Ryshu_TEST;authenticationScheme=JavaKerberos;integratedSecurity=true;userName=${USERNAME};password=${PASSWORD}
05/28/2024 12:59 PM
Did they restarted connector services ?
05/28/2024 01:56 PM - last edited on 05/28/2024 04:05 PM by Dave
Yes Saviynt support team did restart the application. here is the comments from the team on my ticket
Also I tried with the service account in the format EXACTSCIENCES/svc_SaviyntADReader but i got the same error
Error While Test connection: Integrated authentication failed. ClientConnectionId:5b7c0ebb-8dfd-455c-8718-bea1aa26e839
Here is the screenshot of the connection form for the DB connector
[This post has been edited by a Moderator to remove sensitive information.]
05/28/2024 02:56 PM
‼️‼️⚠️Keep company-specific private information masked on public forums, such as the name and URL.⚠️‼️‼️
05/28/2024 01:59 PM
I have asked them to restart the connector services too. Waiting for their response...
05/28/2024 03:37 PM
Connector services were restarted. But same error after that too.
05/28/2024 03:44 PM
Share all config files
05/28/2024 03:48 PM - last edited on 05/29/2024 08:26 AM by Sunil
05/28/2024 04:05 PM
Your conf file domain is not matching
[libdefaults]
default_realm = CAPITAL.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.small.com = CAPITAL.COM
[realms]
CAPITAL.COM = {
kdc = use1-dc-ps1.es.local
default_domain = es.com
}
please keep exact case capital or small
config file need restart
05/28/2024 04:16 PM
Thanks, I will make the change and have the application and connector services restarted and test it again.
05/28/2024 04:45 PM - last edited on 05/28/2024 11:15 PM by Sunil
After making the change in the krb5.conf file to lower case and restarting Saviynt and connector services, test connection is still failing.
Attached (extension .txt added to the attachment) is the updated file for your reference
[This message has been edited by moderator to mask sensitive information from an attached file]
05/28/2024 07:51 PM - edited 05/28/2024 07:53 PM
Your configuration are still not capital and small and domain is ending with local which should be .com
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.domain.com = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = use1-dc-ps1.domain.local
default_domain = domain.com
}
Change domain keyword to actual client name
05/29/2024 05:17 PM - last edited on 05/29/2024 10:35 PM by Sunil
We made this change and we go the error unable to locate KDC for realm domain.com
Here is the debug log error:
So looks like the below value is there for a reason
[libdefaults]
default_realm = DOMAIN.LOCAL
[This message has been edited by moderator to mask sensitive info]
05/29/2024 07:08 PM
Your keytab does not match with domain it should be
default_realm = ES.COM
05/29/2024 09:54 PM
Yes, we will have a troubleshooting session with the respective teams to fix this. Will update in case we see any issue further.
Regards
Sangita Ladi
06/04/2024 06:11 AM
Please confirm if this is resolved
06/04/2024 06:15 AM
its not resolved yet. we will update.
06/04/2024 08:35 AM
Hi Rishi
updated below in krb5.conf file:
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.domain.com = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = use1-dc-ps1.domain.local
default_domain = domain.com
}
but the authentication still fails. below is the debug log error:
06/04/2024 08:40 AM
the error message says: Unable to locate KDC for realm domain.com.
06/04/2024 01:05 PM
Your relam in config and krb5 file does not match
06/04/2024 01:41 PM
We tried the below two krb5.conf config files and it did not work.
Sample 1:
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.domain.com = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = USE1-DC-PS1.domain.local
default_domain = domain.com
}
Sample 2:
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.domain.com = DOMAIN.LOCAL
[realms]
DOMAIN.COM = {
kdc = USE1-DC-PS1.domain.local
default_domain = domain.com
}
Can we tell us exactly what this krb5.conf file should contain based on the keytab file we have. We have been going in circles on this one.:
06/04/2024 03:45 PM
Check the krb5.conf (Linux/Unix) configuration file.
Ensure the [realms] section has the correct KDC information for the specified realm.
Example configuration:
[realms]
DOMAIN.COM = {
kdc = kdc1.domain.com
kdc = kdc2.domain.com
admin_server = kdc1.domain.com
}
06/05/2024 07:48 AM
Hi Rishi
as per your recommendation, here is the updated krb5.conf file. We are getting the same error 'Unable to locate KDC for realm domain.com'
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.domain.com = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = USE1-DC-PS1.domain.com
default_domain = domain.com
}
06/05/2024 08:33 PM
Did you validated keytab file content . command is provided in previous reply
06/06/2024 08:02 AM - last edited on 06/06/2024 01:08 PM by Dave
Here is the output of the Ktab command:
[This post has been edited by a Moderator to remove sensitive information.]
06/06/2024 12:39 PM - edited 06/06/2024 12:40 PM
This principle and connection username & conf file principle should match
‼️‼️⚠️Keep company-specific private information masked on public forums, such as the name and URL.⚠️‼️‼️
06/07/2024 01:48 AM
yes ,it matches.
06/07/2024 01:10 PM
Hi Rishi
This principle, connection username & conf file principle is matching and still the test connection is failing
Here is the conf. file:
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.domain.com = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = USE1-DC-PS1.domain.com
default_domain = domain.com
}
Here is the DB Connection form on Saviynt:
And here is the keytab file contents:
See if you find anything wrong here. The error on the test connection is:
Error While Test connection: Integrated authentication failed. ClientConnectionId:9b555d3d-3375-4df4-84ee-70f1cab7ea99
The error in the debug log is:
"2024-06-07T20:04:15.535+00:00","ecm","provisoning.DBProvisioningService","http-nio-8080-exec-7-pvqhn","ERROR","Creating connection failed: "
"2024-06-07T20:04:16.216+00:00","ecm","","null-pvqhn","","com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:9b555d3d-3375-4df4-84ee-70f1cab7ea99 at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1667) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:140) at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:268) at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:2691) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:2234) at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:41) at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:2220) at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696) at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1715) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1326) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:991) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:827) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012) at java.sql.DriverManager.getConnection(DriverManager.java:664) at java.sql.DriverManager.getConnection(DriverManager.java:208) at com.saviynt.provisoning.DBProvisioningService.getConnection(DBProvisioningService.groovy:198) at com.saviynt.ImportExternalDbService.connectToDB(ImportExternalDbService.groovy:649) at com.saviynt.ImportExternalDbService.testDBConnection(ImportExternalDbService.groovy:667) at com.saviynt.ecm.integration.ExternalConnectionCallService.testExternalConnection(ExternalConnectionCallService.groovy:926) at com.saviynt.ecm.utility.domain.EcmConfigController$_closure21.doCall(EcmConfigController.groovy:769) at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53) at com.saviynt.webservice.SaviyntRestAuthenticationFilter.doFilter(SaviyntRestAuthenticationFilter.groovy:155) at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62) at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59) at com.mrhaki.grails.plugin.xframeoptions.web.XFrameOptionsFilter.doFilterInternal(XFrameOptionsFilter.java:69) at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82) at java.lang.Thread.run(Thread.java:750)Caused by: javax.security.auth.login.LoginException: Cannot locate KDC at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:133) ... 25 moreCaused by: KrbException: Cannot locate KDC at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782) ... 33 moreCaused by: KrbException: Generic error (description in e-text) (60) - Unable to locate KDC for realm exactsciences.com ... 34 more"
"2024-06-07T20:04:15.538+00:00","ecm","generic.GenericValidationService","http-nio-8080-exec-7-pvqhn","DEBUG","Inside validateCommonErrorResponse"
"2024-06-07T20:04:15.538+00:00","ecm","saviynt.ImportExternalDbService","http-nio-8080-exec-7-pvqhn","ERROR","Error while saving the Connection: Target Error Message: [com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:9b555d3d-3375-4df4-84ee-70f1cab7ea99"
"2024-06-07T20:04:16.216+00:00","ecm","","null-pvqhn",""," ]"
"2024-06-07T20:04:15.538+00:00","ecm","domain.EcmConfigController","http-nio-8080-exec-7-pvqhn","ERROR","Integrated authentication failed. ClientConnectionId:9b555d3d-3375-4df4-84ee-70f1cab7ea99"
06/08/2024 08:57 AM
It does not seems application restarted properly and updated files taken
06/10/2024 08:07 AM
If you see the above stack trace, I see the error --> Cannot locate KDC
Are you saying since the application was not restarted properly, we might be getting this cannot locate KDC error?
06/10/2024 10:07 AM
If you update any configuration restart is must. Make sure no leading /trailing space in configs