SQL server with PKINIT fails with `login error` when DB server and client CAs are different

Expected behavior:
Connection to SQL server like `tsh db connect ec2amaz-xxxx --db-user Administrator --db-name master` should succeed

Current behavior:
```
$ tsh db connect ec2amaz-xxxx --db-user Administrator --db-name master
mssql: login error: authentication failed
mssql: login error: authentication failed
ERROR: exit status 1
```

Bug details:
- Teleport version: v17.0.0-alpha.2
- Recreation steps
  - Ensure `tctl auth export --type db` and `tctl auth export --type db-client` are different. if not, rotate one of them.
  - Setup PKINIT SQL server using official guide or `Invoke-webrequest -uri "https://<proxy-addr>/webapi/scripts/databases/configure/sqlserver/<db-token>/configure-ad.ps1?uri=<sql-server-domain>:1433" -outfile configureteleport.ps1`
- Debug logs:
```
2024-11-06T14:41:18Z ERRO             "Failed to authenticate with KDC: Password for Administrator@STEVEAD.DEV.AWS.STEVEXIN.ME: \nkinit: Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate while getting initial credentials\n" kinit/kinit.go:311
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL server with PKINIT fails with `login error` when DB server and client CAs are different #48517

greedy52
openedon Nov 6, 2024

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SQL server with PKINIT fails with login error when DB server and client CAs are different #48517

Description

greedy52openedon Nov 6, 2024

Metadata