Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-3035

Add support for integrated authentication for Microsoft SQL Server

    • 17
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Atlassian status as of December 2016

      Hi everyone,

      Thanks to everyone for voting and commenting on this suggestion. Your input in the comments helps us understand how this affects you and what you're hoping to accomplish with Bitbucket Server.

      We spend a significant amount of time on an ongoing basis to determine our product investments in Bitbucket Server. Unfortunately, we are not currently planning to address this suggestion in the next 12 months. In the last 12 months, we've resolved 10 of the top 30 feature requests, and our upcoming roadmap includes a number of other top voted suggestions, including in-browser editing, improvements to search functionality, better JIRA integration, and providing an even better code review experience.

      I understand that this may be disappointing, but we believe it’s important for us to be open, honest and transparent with our customers. Product feedback is collected from a number of different sources and is evaluated when planning the product roadmap. You can learn more about our process here.

      Norman Ma

      Product Manager - Bitbucket Server

      With the move from using jTDS to access Microsoft SQL Server in Stash to using Microsoft's own JDBC driver, a nice improvement to also make would be to allow selecting integrated authentication in the UI.

      Currently, to use integrated authentication users must directly modify stash-config.properties to set their own jdbc.url value. This means it is not possible to migrate to SQL Server using integrated authentication, nor is it possible to select SQL Server during initial setup if integrated authentication is required.

      When SQL Server is selected as the database, a checkbox for selecting integrated authentication could be added. When selected, the username and password prompts should be disabled/hidden and no longer considered required; any credentials provided in those fields will be ignored.

      When integrated authentication is selected, the server should choose the correct sqljdbc_auth.dll for the JVM's architecture and include it in the java.library.path automatically. Currently, this step must be done manually, in addition to modifying the JDBC URL.

            [BSERV-3035] Add support for integrated authentication for Microsoft SQL Server

            Additionally, I get this when our DBA made few changes

            com.microsoft.sqlserver.jdbc.SQLServerException: Kerberos Login failed: Integrated authentication failed. ClientConnectionId:bbbea1cd-7d62-47b1-adaa-c3140119dd20 due to javax.security.auth.login.LoginException (Unable to obtain password from user
            

            Due to RC4 remediation, it needs to be AES256 soon. At the moment we either we live with Rc4 for production or changing to SQL authentication (in Stage/Test infra)

            ViswanathanR added a comment - Additionally, I get this when our DBA made few changes com.microsoft.sqlserver.jdbc.SQLServerException: Kerberos Login failed: Integrated authentication failed. ClientConnectionId:bbbea1cd-7d62-47b1-adaa-c3140119dd20 due to javax.security.auth.login.LoginException (Unable to obtain password from user Due to RC4 remediation, it needs to be AES256 soon. At the moment we either we live with Rc4 for production or changing to SQL authentication (in Stage/Test infra)

            I have this problem with JIRA. But in my case , I cannot connect with AES256 encryption. If they keytab and krb5.conf updated with AES256, JIRA does not connect to the DB. I use JRE 1.8_272. Error is below

            com.microsoft.sqlserver.jdbc.SQLServerException: Cannot login with Kerberos principal <accountname>, check your credentials. Kerberos Login failed: Integrated authentication failed. ClientConnectionId:a6ca3935-3f6a-4457-9d32-ddc3b1a62c57 due to javax.security.auth.login.LoginException (KDC has no support for encryption type (14))
            

            My dbconfig.xml is

            <url>jdbc:sqlserver://<my DB instance>:10501;DatabaseName=jira;IntegratedSecurity=True;AuthenticationScheme=JavaKerberos</url>
                     <driver-class&gt;com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class&gt;
            

            setenv.sh looks like

            Djava.security.krb5.conf=/apps/jira/sqlserver/client/sqljdbc_6.2/enu/krb/krb5.conf
            

            krb5.conf looks like

            [libdefaults]
                     default_realm = mydomain.COM
                     default_tkt_enctypes = aes256-cts-hmac-sha1-96
                     default_tgs_enctypes = aes256-cts-hmac-sha1-96
                     dns_lookup_kdc = false
                     dns_lookup_realm = false
            [realms]
               mydomain.COM = {
                    kdc = mydomain.com
                    master_kdc = mydomain.com
                    default_domain = Imydomain.com
               }
            

            the SQL driver.conf file has keytab entries too.

            if my krb5.conf is with rc4, they connect fine

            default_tkt_enctypes = des-cbc-md5 rc4-hmac
                     default_tgs_enctypes = des-cbc-md5 rc4-hmac
            

            ViswanathanR added a comment - I have this problem with JIRA. But in my case , I cannot connect with AES256 encryption. If they keytab and krb5.conf updated with AES256, JIRA does not connect to the DB. I use JRE 1.8_272. Error is below com.microsoft.sqlserver.jdbc.SQLServerException: Cannot login with Kerberos principal <accountname>, check your credentials. Kerberos Login failed: Integrated authentication failed. ClientConnectionId:a6ca3935-3f6a-4457-9d32-ddc3b1a62c57 due to javax.security.auth.login.LoginException (KDC has no support for encryption type (14)) My dbconfig.xml is <url>jdbc:sqlserver: //<my DB instance>:10501;DatabaseName=jira;IntegratedSecurity=True;AuthenticationScheme=JavaKerberos</url> <driver- class& gt;com.microsoft.sqlserver.jdbc.SQLServerDriver</driver- class& gt; setenv.sh looks like Djava.security.krb5.conf=/apps/jira/sqlserver/client/sqljdbc_6.2/enu/krb/krb5.conf krb5.conf looks like [libdefaults] default_realm = mydomain.COM default_tkt_enctypes = aes256-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96 dns_lookup_kdc = false dns_lookup_realm = false [realms] mydomain.COM = { kdc = mydomain.com master_kdc = mydomain.com default_domain = Imydomain.com } the SQL driver.conf file has keytab entries too. if my krb5.conf is with rc4, they connect fine default_tkt_enctypes = des-cbc-md5 rc4-hmac default_tgs_enctypes = des-cbc-md5 rc4-hmac

            Alex Janes added a comment -

            Atlassian Team, before you go 100% data center in 3 years, this needs to be addressed. Enterprise grade products should not have security features pushed for 7 years.

            Alex Janes added a comment - Atlassian Team, before you go 100% data center in 3 years, this needs to be addressed. Enterprise grade products should not have security features pushed for 7 years.

            We use Bitbucket Server and Jira in an enterprise enviroment. We are forced due to security reasons by our Guidlines not to use SQL Server Authentication. Using Integrated Security with sql server is best practice and should be the only available authentication method in combination with kerberos and/or NTLM (for compability). Seriously you should really get this done!

            Alexander Lelonek added a comment - We use Bitbucket Server and Jira in an enterprise enviroment. We are forced due to security reasons by our Guidlines not to use SQL Server Authentication. Using Integrated Security with sql server is best practice and should be the only available authentication method in combination with kerberos and/or NTLM (for compability). Seriously you should really get this done!

            kkrumme added a comment -

            This issue is 5 years old and has 75 votes. I am baffled as to why you're letting this sit in the backlog.

            kkrumme added a comment - This issue is 5 years old and has 75 votes. I am baffled as to why you're letting this sit in the backlog.

            I evaluated Bitbucket Server with my team, and now that it's up and running, we have to start over just to migrate to SQL Server? 

            "Bitbucket Server does not currently support configuring the system to use integrated authentication from the UI. This means you can't currently migrate to SQL Server with integrated authentication, nor can you configure Bitbucket Server to use SQL Server with integrated authentication during initial setup."

            Quality!

            kehlankrumme added a comment - I evaluated Bitbucket Server with my team, and now that it's up and running, we have to start over just to migrate to SQL Server?  "Bitbucket Server does not currently support configuring the system to use integrated authentication from the UI. This means you can't currently migrate to SQL Server with integrated authentication, nor can you configure Bitbucket Server to use SQL Server with integrated authentication during initial setup." Quality!

            SonarQube running on Linux can be configured to use Kerberos tickets from AD and connect to MS SQL DB using the Microsoft JDBC driver... I do this as I ran into the same issue when SonarQube switched to using the Microsoft JDBC driver. But it can be configured using a Krb5LoginModule in the SQLJDBCDriver.conf file and the JDBC URL in the sonar properties file: sonar.jdbc.url=jdbc:sqlserver://MYSERVER.XXX.BIZ:1433;databaseName=SONAR;integratedSecurity=true;authenticationScheme=JavaKerberos.

            Can't you do the same thing? It's open source so you can see how they did it.

            Dr Paul Gorman (+61 43 555 8575) added a comment - SonarQube running on Linux can be configured to use Kerberos tickets from AD and connect to MS SQL DB using the Microsoft JDBC driver... I do this as I ran into the same issue when SonarQube switched to using the Microsoft JDBC driver. But it can be configured using a Krb5LoginModule in the SQLJDBCDriver.conf file and the JDBC URL in the sonar properties file: sonar.jdbc.url=jdbc:sqlserver://MYSERVER.XXX.BIZ:1433;databaseName=SONAR;integratedSecurity=true;authenticationScheme=JavaKerberos. Can't you do the same thing? It's open source so you can see how they did it.

            For a product that is so heavily focused on enterprise environments, I was shocked to learn that this wasn't supported! I wasn't allowed to enable 'mixed auth' mode on my production database, so I had to spin up an isolated instance of SQL Server, "migrate" the Stash DB to that, backup the database, restore it on my production server, and then patch up the permissions. Rather annoying, to say the least.

            Chris Pinola added a comment - For a product that is so heavily focused on enterprise environments, I was shocked to learn that this wasn't supported! I wasn't allowed to enable 'mixed auth' mode on my production database, so I had to spin up an isolated instance of SQL Server, "migrate" the Stash DB to that, backup the database, restore it on my production server, and then patch up the permissions. Rather annoying, to say the least.

              Unassigned Unassigned
              bturner Bryan Turner (Inactive)
              Votes:
              100 Vote for this issue
              Watchers:
              37 Start watching this issue

                Created:
                Updated: