'How to proxy MSSQL connections over TCP proxy with cached Kerberos credential?
I need to proxy MSSQL connections over a TCP proxy using cached kerberos credentials. The idea is to authenticate against the database with kerberos, cache the cred, and then use that cred from a locked down environment to connect to the database over a proxy.
The Source and Proxy instances are both Linux machines running Centos 8.
The Source/Client instance in this case has no connectivity to the domain controllers used for kerberos auth, neither does the proxy. The proxy is pure pass through to the destination server, which does have connectivity to the domain controllers to perform the kerberos ticket <--> token exchange and authenticate.
This is what my current environment looks like:
Source Proxy Dest
+-+----+--+ +-----------------------------+ +-----------------+
| | tcp1 | HAProxy | tcp2 | |
| Client +--------------> front_end backend----------------->+ SQL Server |
| | | | | |
+---------+ +-----------------------------+ +-----------------+
My proxy config:
frontend tcp-in-mssql
bind :5650
mode tcp
use_backend mssql
backend mssql
mode tcp
server mssql.mydomain.com mssql.mydomain.com:5650 check
When testing, I can connect directly to the SQL Server on the Dest instance from the Proxy instance both via password based auth and kerberos auth.
Examples of successfully connecting to the SQL Server from the Proxy instance:
$ env | grep KRB5
KRB5CCNAME=/tmp/krb5cc_12345 # <-- this is a valid ticket cache
$ /opt/mssql-tools18/bin/sqlcmd -C -S mssql.mydomain.com,5650 -U myuser
Password:
1> quit
$ /opt/mssql-tools18/bin/sqlcmd -C -S mssql.mydomain.com,5650 -E
1> quit
When connecting over the Proxy from the Proxy host:
$ /opt/mssql-tools18/bin/sqlcmd -C -S localhost,5650 -U myuser
Password:
1> quit
$ /opt/mssql-tools18/bin/sqlcmd -C -S localhost,5650 -E
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : SSPI Provider: Server not found in Kerberos database.
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Cannot generate SSPI context.
I guess this makes sense if I use localhost in the sqlcmd server parameter.
I get the exactly same results when replacing localhost with the proxy host in the sqlcmd.
I believe my only major issue here is that I cannot get the connection to go over the proxy when setting socks_proxy or all_proxy env vars, so I can use the SQL Server host name in the sqlcmd server param.
Each of the below do not go over the proxy and go directly to the host in the sqlcmd server param. The same happens when using password auth. I know this because I do not see the connections logged in the haproxy logs.
$ socks_proxy=socks5://localhost:5640 /opt/mssql-tools18/bin/sqlcmd -C -S mssql.mydomain.com,5650 -E
1> quit
$ socks_proxy=socks://localhost:5640 /opt/mssql-tools18/bin/sqlcmd -C -S mssql.mydomain.com,5650 -E
1> quit
$ all_proxy=socks5://localhost:5640 /opt/mssql-tools18/bin/sqlcmd -C -S mssql.mydomain.com,5650 -E
1> quit
$ all_proxy=socks://localhost:5640 /opt/mssql-tools18/bin/sqlcmd -C -S mssql.mydomain.com,5650 -E
1> quit
The only way I can seem to go over the proxy is to use the proxy in the sqlcmd server param, which works with password auth, but fails with kerberos auth.
I've also tried adding ServerSPN=MSSQLSvc/mssql.mydomain.com:5650 to both my odbc.ini and odbcinst.ini files.
There's nothing in the sqlcmd doc that accepts proxy settings, so I'm at a loss as to what to do here. I'm flexible on the proxy, it doesn't have to be HAProxy, but HAProxy seemed like the easiest pass through TCP proxy to stand up so I went with it over nginx.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|