Saviynt Forums

sangitaladi · ‎05/24/2024

Hi Saviynt Product Team

We have a MS SQL target DB and have setup Saviynt OOTB DB connector. When we are trying to connect the DB with AD service accounts, the connectivity fails.

We followed this link has the steps to configure Saviynt to use AD based service account that uses Kerberos, and this is our case. – Section Connecting Active Directory Domain Accounts with MS SQL Database using Kerberos

https://docs.saviyntcloud.com/bundle/Database-v23x/page/Content/Appendix.htm#top

Attached krb5.txt and krb5.keytab file in the below incident:

[#2028860] DB Connector - Login failed for user svc_xxxxx : Saviynt Inc

and we need saviynt server team assistance to complete the next steps at server end.

But the agent working on the incident has requested to create a forum post , so the product team will assist us to perform the next steps.

Awaiting from your team to work and finish this setup, and then we can complete the connector setup.

Thanks,
Sangita Ladi

Update:

We have tested both the below URL as requested by the support agent and it did not work. We have the corresponding logs in case you need.

[This post has been edited by a Moderator to merge two posts.]

Dave · ‎05/24/2024

Hello @sangitaladi

I am one of the moderators on the Saviynt Community Forums (forums.saviynt.com) and I noticed a few things about your post that I wanted to clarify.

First, you addressed your forum post to "Hi Saviynt Product Team" -- Close to 99% of the questions asked on the Saviynt Community Forums are answered by Saviynt users just like you.

The Saviynt Community Forums is a place where Saviynt partners, customers, and employees can brainstorm together and help solve difficult how-to questions.

That is probably why the support agent referred you to the forums, if you are asking a "how-to" question.

If there is any setup or configuration that Saviynt needs to do on the backend, that all needs to happen on the ticket, not here.

More information on requesting a service can be found here:
https://forums.saviynt.com/t5/announcements/introducing-our-new-quot-request-a-service-quot-feature-...

I hope that will help clarify things. And if your question is a "how-to" question, I am sure one of our forum users will jump in to share their expertise.

Best regards,
Dave

rushikeshvartak · ‎05/24/2024

There is no dependency with saviynt support on this issue in EIC . You need to upload files on file directory - connector files and restart services

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/27/2024

Hi

As per the DB connector guide, there are several files that are required to be configured on Saviynt side. Here are the files

jeytab file, krb5.conf, SQLJDBCDriver.conf, Update the JDBC driver to mssql-jdbc-7.0.0.jre10.jar

Here is the link for the steps:

https://docs.saviyntcloud.com/bundle/Database-v23x/page/Content/Appendix.htm#top

If you can go through the steps in the above link, can you confirm if we can perform these steps using Saviynt UI and dont need any help from the product team.

We have a ticket opened for this and the response we go on the ticket is this:

[This message has been edited by moderator to mask sensitive info]

rushikeshvartak · ‎05/27/2024

As mentioned files needs to be uploaded in connector files .

avoid adding agent name on public forums

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/27/2024

Hi

We will try uploading the necessary files in the connector folder, but who will perfrom the following steps for us? We dont have access to Saviynt servers:

rushikeshvartak · ‎05/27/2024

As mentioned this is not needed in EIC and its preconfigured in EIC

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/27/2024

We are at v23.1 and may go to v24.4. I dont think this is is EIC.

rushikeshvartak · ‎05/27/2024

Anything beyond v2021 is EIC

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/27/2024

So I am assuming v23.x or 24.x is beyond v2021 and we dont have to perform the jdbc driver jar and the Catalina startup.sh file steps.

and I assume we will need a restart once we upload the files.

We will go ahead and test the steps and document it and provide the steps here, if it works.

rushikeshvartak · ‎05/27/2024

Yes we have done same and it works

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/28/2024

Hi Rushikesh

I see we have the following 3 files for this setup to the configured:

krb5.keytab
krb5.conf
SQLJDBCDriver.conf

Do you want us to upload all the three files under the connector folder through Saviynt File Directory UI?

In the SQLJDBCDriver.conf file, we need to specify the path of krb5.keytab. Now this file krb5.keytab file is uploaded under connector folder, so what would be it path which I can update it in the SQLJDBCDriver.conf file file?

Tks

Sunil

rushikeshvartak · ‎05/28/2024

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/28/2024

Hi,

I uploaded all the 3 files under Connector Files folder:

Also the file contents for SQLJDBCDriver.conf is this:

SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=false useKeyTab=true doNotPrompt=false keyTab="/saviynt_shared/saviynt/ConnectorFiles/krb5.keytab" principal="svc_SaviyntADReader@domain.com";
};

Updated the JDBCL URL and tries the test connection and it failed with this error from debug log:

"2024-05-28T17:05:01.868+00:00","ecm","provisoning.DBProvisioningService","http-nio-8080-exec-9-7sb6w","ERROR","Creating connection failed: "
"2024-05-28T17:05:02.178+00:00","ecm","","null-7sb6w","","com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:35f99f02-deef-4bbc-8156-aadef021d372 at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1667) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:140) at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:268) at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:2691) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:2234) at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:41) at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:2220) at

Any thoughts on what else is not setup properly?

[This post has been edited by a Moderator to remove sensitive information.]

rushikeshvartak · ‎05/28/2024

Ask saviynt support to restart from backend

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/28/2024

After the Saviynt agent restarted our Saviynt from backend, we are still getting the same error.

Error While Test connection: Integrated authentication failed. ClientConnectionId:84cbf738-4cb0-4eaa-9356-5af730c25647

I tried different formats of the username but still same error:

svc_SaviyntADReader

svc_SaviyntADReader@domain.com

The full DN value of svc_SaviyntADReader

Anything else we can try?

[This post has been edited by a Moderator to remove sensitive information.]

rushikeshvartak · ‎05/28/2024

Username should

domain/username

url - jdbc:sqlserver://MUNTSD-S-71084.rushicom\\INS01;databaseName=Ryshu_TEST;authenticationScheme=JavaKerberos;integratedSecurity=true;userName=${USERNAME};password=${PASSWORD}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

rushikeshvartak · ‎05/28/2024

Did they restarted connector services ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/28/2024

Yes Saviynt support team did restart the application. here is the comments from the team on my ticket

Also I tried with the service account in the format EXACTSCIENCES/svc_SaviyntADReader but i got the same error

Error While Test connection: Integrated authentication failed. ClientConnectionId:5b7c0ebb-8dfd-455c-8718-bea1aa26e839

Here is the screenshot of the connection form for the DB connector

[This post has been edited by a Moderator to remove sensitive information.]

rushikeshvartak · ‎05/28/2024

‼️‼️⚠️Keep company-specific private information masked on public forums, such as the name and URL.⚠️‼️‼️

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/28/2024

I have asked them to restart the connector services too. Waiting for their response...

sunilrashinkar · ‎05/28/2024

Connector services were restarted. But same error after that too.

rushikeshvartak · ‎05/28/2024

Share all config files

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/28/2024

Attached are the config files for your reference. Extension added as .txt

I have not attached the keytab file, let me know if you need that too.

[This message has been edited by moderator to mask sensitive info from an attached file]

rushikeshvartak · ‎05/28/2024

Your conf file domain is not matching

[libdefaults]
default_realm = CAPITAL.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[domain_realm]
.small.com = CAPITAL.COM

[realms]
CAPITAL.COM = {
kdc = use1-dc-ps1.es.local
default_domain = es.com
}

please keep exact case capital or small

config file need restart

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/28/2024

Thanks, I will make the change and have the application and connector services restarted and test it again.

sunilrashinkar · ‎05/28/2024

After making the change in the krb5.conf file to lower case and restarting Saviynt and connector services, test connection is still failing.

Attached (extension .txt added to the attachment) is the updated file for your reference

[This message has been edited by moderator to mask sensitive information from an attached file]

rushikeshvartak · ‎05/28/2024

Your configuration are still not capital and small and domain is ending with local which should be .com

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[domain_realm]
.domain.com = DOMAIN.COM

[realms]
DOMAIN.COM = {
kdc = use1-dc-ps1.domain.local
default_domain = domain.com
}

Change domain keyword to actual client name

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎05/29/2024

We made this change and we go the error unable to locate KDC for realm domain.com

Here is the debug log error:

So looks like the below value is there for a reason

[libdefaults]
default_realm = DOMAIN.LOCAL

[This message has been edited by moderator to mask sensitive info]

rushikeshvartak · ‎05/29/2024

Your keytab does not match with domain it should be

default_realm = ES.COM

List keytab content à ktab -l -e -t -k C:\Users\Rushikesh.Vartak\krb5.keytab

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sangitaladi · ‎05/29/2024

Yes, we will have a troubleshooting session with the respective teams to fix this. Will update in case we see any issue further.

Regards

Sangita Ladi

rushikeshvartak · ‎06/04/2024

Please confirm if this is resolved

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sangitaladi · ‎06/04/2024

its not resolved yet. we will update.

sangitaladi · ‎06/04/2024

Hi Rishi

updated below in krb5.conf file:

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[domain_realm]
.domain.com = DOMAIN.COM

[realms]
DOMAIN.COM = {
kdc = use1-dc-ps1.domain.local
default_domain = domain.com
}

but the authentication still fails. below is the debug log error:

sangitaladi · ‎06/04/2024

the error message says: Unable to locate KDC for realm domain.com.

rushikeshvartak · ‎06/04/2024

Your relam in config and krb5 file does not match

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎06/04/2024

We tried the below two krb5.conf config files and it did not work.

Sample 1:

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[domain_realm]
.domain.com = DOMAIN.COM

[realms]
DOMAIN.COM = {
kdc = USE1-DC-PS1.domain.local
default_domain = domain.com
}

Sample 2:

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[domain_realm]
.domain.com = DOMAIN.LOCAL

[realms]
DOMAIN.COM = {
kdc = USE1-DC-PS1.domain.local
default_domain = domain.com
}

Can we tell us exactly what this krb5.conf file should contain based on the keytab file we have. We have been going in circles on this one.:

rushikeshvartak · ‎06/04/2024

Check the krb5.conf (Linux/Unix) configuration file.

Ensure the [realms] section has the correct KDC information for the specified realm.

Example configuration:

[realms]

DOMAIN.COM = {

kdc = kdc1.domain.com

kdc = kdc2.domain.com

admin_server = kdc1.domain.com

}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sangitaladi · ‎06/05/2024

Hi Rishi

as per your recommendation, here is the updated krb5.conf file. We are getting the same error 'Unable to locate KDC for realm domain.com'

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[domain_realm]
.domain.com = DOMAIN.COM

[realms]
DOMAIN.COM = {
kdc = USE1-DC-PS1.domain.com
default_domain = domain.com
}

rushikeshvartak · ‎06/05/2024

Did you validated keytab file content . command is provided in previous reply

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎06/06/2024

Here is the output of the Ktab command:

[This post has been edited by a Moderator to remove sensitive information.]

rushikeshvartak · ‎06/06/2024

This principle and connection username & conf file principle should match

‼️‼️⚠️Keep company-specific private information masked on public forums, such as the name and URL.⚠️‼️‼️

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sangitaladi · ‎06/07/2024

yes ,it matches.

sunilrashinkar · ‎06/07/2024

Hi Rishi

This principle, connection username & conf file principle is matching and still the test connection is failing

Here is the conf. file:

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[domain_realm]
.domain.com = DOMAIN.COM

[realms]
DOMAIN.COM = {
kdc = USE1-DC-PS1.domain.com
default_domain = domain.com
}

Here is the DB Connection form on Saviynt:

And here is the keytab file contents:

See if you find anything wrong here. The error on the test connection is:

Error While Test connection: Integrated authentication failed. ClientConnectionId:9b555d3d-3375-4df4-84ee-70f1cab7ea99

The error in the debug log is:

"2024-06-07T20:04:15.535+00:00","ecm","provisoning.DBProvisioningService","http-nio-8080-exec-7-pvqhn","ERROR","Creating connection failed: "
"2024-06-07T20:04:16.216+00:00","ecm","","null-pvqhn","","com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:9b555d3d-3375-4df4-84ee-70f1cab7ea99 at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1667) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:140) at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:268) at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:2691) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:2234) at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:41) at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:2220) at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696) at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1715) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1326) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:991) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:827) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012) at java.sql.DriverManager.getConnection(DriverManager.java:664) at java.sql.DriverManager.getConnection(DriverManager.java:208) at com.saviynt.provisoning.DBProvisioningService.getConnection(DBProvisioningService.groovy:198) at com.saviynt.ImportExternalDbService.connectToDB(ImportExternalDbService.groovy:649) at com.saviynt.ImportExternalDbService.testDBConnection(ImportExternalDbService.groovy:667) at com.saviynt.ecm.integration.ExternalConnectionCallService.testExternalConnection(ExternalConnectionCallService.groovy:926) at com.saviynt.ecm.utility.domain.EcmConfigController$_closure21.doCall(EcmConfigController.groovy:769) at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53) at com.saviynt.webservice.SaviyntRestAuthenticationFilter.doFilter(SaviyntRestAuthenticationFilter.groovy:155) at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62) at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59) at com.mrhaki.grails.plugin.xframeoptions.web.XFrameOptionsFilter.doFilterInternal(XFrameOptionsFilter.java:69) at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82) at java.lang.Thread.run(Thread.java:750)Caused by: javax.security.auth.login.LoginException: Cannot locate KDC at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:133) ... 25 moreCaused by: KrbException: Cannot locate KDC at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782) ... 33 moreCaused by: KrbException: Generic error (description in e-text) (60) - Unable to locate KDC for realm exactsciences.com ... 34 more"
"2024-06-07T20:04:15.538+00:00","ecm","generic.GenericValidationService","http-nio-8080-exec-7-pvqhn","DEBUG","Inside validateCommonErrorResponse"
"2024-06-07T20:04:15.538+00:00","ecm","saviynt.ImportExternalDbService","http-nio-8080-exec-7-pvqhn","ERROR","Error while saving the Connection: Target Error Message: [com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:9b555d3d-3375-4df4-84ee-70f1cab7ea99"
"2024-06-07T20:04:16.216+00:00","ecm","","null-pvqhn",""," ]"
"2024-06-07T20:04:15.538+00:00","ecm","domain.EcmConfigController","http-nio-8080-exec-7-pvqhn","ERROR","Integrated authentication failed. ClientConnectionId:9b555d3d-3375-4df4-84ee-70f1cab7ea99"

rushikeshvartak · ‎06/08/2024

It does not seems application restarted properly and updated files taken

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

sunilrashinkar · ‎06/10/2024

If you see the above stack trace, I see the error --> Cannot locate KDC

Are you saying since the application was not restarted properly, we might be getting this cannot locate KDC error?

rushikeshvartak · ‎06/10/2024

If you update any configuration restart is must. Make sure no leading /trailing space in configs

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saviynt Forums

Saviynt server setup for DB connector to connect target with AD service account