Skip to content

Test | Fix Kerberos SSPI authentication failure when using TCP proxy in manual tests#4146

Open
ShreyaLaxminarayan wants to merge 1 commit intodotnet:mainfrom
ShreyaLaxminarayan:fix
Open

Test | Fix Kerberos SSPI authentication failure when using TCP proxy in manual tests#4146
ShreyaLaxminarayan wants to merge 1 commit intodotnet:mainfrom
ShreyaLaxminarayan:fix

Conversation

@ShreyaLaxminarayan
Copy link
Copy Markdown
Contributor

@ShreyaLaxminarayan ShreyaLaxminarayan commented Apr 7, 2026

Problem:
CreateAndStartProxy used in manual tests rewrites the connection string address to 127.0.0.1, causing kerberos to construct the wrong SPN (MSSQLSvc/localhost) instead of the real server name. Since localhost is not registered in Active Directory, SSPI authentication fails with
Microsoft.Data.SqlClient.SqlException: The target principal name is incorrect. Cannot generate SSPI context.

Kerberos builds the SPN from the resolved connection address. When the proxy rewrites the address to 127.0.0.1, the SPN is constructed from localhost instead of the actual server hostname, breaking AD lookup.

Fix:
Capture the original server name before the proxy rewrites the address. After rewriting, explicitly set ServerSPN in the connection string to the real server's SPN using DataTestUtility.GetMachineFQDN, but only if ServerSPN is not already set by the caller.
This fix only applies if ServerSPN is not set already.

Tests Affected:
SqlCommandCancelTest.TimeOutDuringRead_Tcp— previously failing with SSPI error, now passing

@ShreyaLaxminarayan
Fix Kerberos SSPI authentication failure when using TCP proxy in manu…
934bb78 
…al tests

Problem:
CreateAndStartProxy used in manual tests rewrites the connection string address to 127.0.0.1, causing kerberos to construct the wrong SPN (MSSQLSvc/localhost) instead of the real server name.
Since localhost is not registered in Active Directory, SSPI authentication fails with
Microsoft.Data.SqlClient.SqlException: The target principal name is incorrect. Cannot generate SSPI context.

Fix:
Capture the original server name before the proxy rewrites the address. After rewriting, explicitly set ServerSPN in the connection string to the real server's SPN using DataTestUtility.GetMachineFQDN,
but only if ServerSPN is not already set by the caller.

Tests Affected:
SqlCommandCancelTest.TimeOutDuringRead_Tcp— previously failing with SSPI error, now passing
@ShreyaLaxminarayan ShreyaLaxminarayan requested a review from a team as a code owner April 7, 2026 05:58
@github-project-automation github-project-automation bot moved this to To triage in SqlClient Board Apr 7, 2026
@paulmedynski paulmedynski added this to the 7.1.0-preview1 milestone Apr 7, 2026
@paulmedynski paulmedynski added the Area\Tests Issues that are targeted to tests or test projects label Apr 7, 2026
@paulmedynski paulmedynski self-assigned this Apr 7, 2026
@paulmedynski paulmedynski moved this from To triage to In review in SqlClient Board Apr 7, 2026
@paulmedynski
Copy link
Copy Markdown
Contributor

paulmedynski commented Apr 7, 2026

/azp run

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 7, 2026

Azure Pipelines successfully started running 2 pipeline(s).

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.32%. Comparing base (60d4b92) to head (934bb78).
⚠️ Report is 17 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (60d4b92) and HEAD (934bb78). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (60d4b92) HEAD (934bb78)
CI-SqlClient 1 0
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4146      +/-   ##
==========================================
- Coverage   73.22%   66.32%   -6.91%     
==========================================
  Files         280      274       -6     
  Lines       43000    65782   +22782     
==========================================
+ Hits        31486    43628   +12142     
- Misses      11514    22154   +10640
Flag Coverage Δ
CI-SqlClient ?
PR-SqlClient-Project 66.32% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cheenamalhotra cheenamalhotra changed the title Fix Kerberos SSPI authentication failure when using TCP proxy in manual tests Test | Fix Kerberos SSPI authentication failure when using TCP proxy in manual tests Apr 8, 2026
@cheenamalhotra cheenamalhotra enabled auto-merge (squash) April 8, 2026 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cheenamalhotra cheenamalhotra cheenamalhotra approved these changes

@paulmedynski paulmedynski paulmedynski approved these changes

Assignees

@paulmedynski paulmedynski

Labels

Area\Tests Issues that are targeted to tests or test projects

Projects

SqlClient Board
Status: In review

Milestone

7.1.0-preview1

Development

Successfully merging this pull request may close these issues.

3 participants

@ShreyaLaxminarayan @paulmedynski @cheenamalhotra