Can't connect to Azure SQL DB using Azure Active Directory Auth

Avatar
Ilias Mouradov
Created

Hi,

Testing DataGrip for our dev team and having difficulties connecting to our cloud sql server using Azure Active Directory auth.

Azure data studio works fine using Azure Active Directory - Universal with MFA support auth type.

If i try Azure Active Directory interactive, it opens ~20 tabs in Edge browser (localhost:xxxxxx) where each tab says "Authentication complete. You can close the browser and return to the application." before giving up with the following error:

Failed to authenticate the user ilias.mouradov@xxx.com in Active Directory (Authentication=ActiveDirectoryInteractive). javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Switching to Azure Active Directory password mode, it just fails with the similar error:

Active Directory (Authentication=ActiveDirectoryPassword). javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've tried to add all the certificates i found on this page (Azure Active Directory certificate authorities - Microsoft Entra | Microsoft Learn) to DataGrips trust store (Files->settings->Tools->Server certificates), didn't help, still the same error above. I've tried to add those certs into \JetBrains\DataGrip 2022.3\jbr\lib\security\cacerts, nothing. I've tried to enable SSL in SSH/SSL tab with each cert just for shits and giggles, got a different error but to be honest i'm pretty sure i'm doing something wrong here to begin with: 

ava.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Would you know what's happening and how to fix this? Let me know if you need any other info.
Thanks!

Votes

0

Share

10 comments
Avatar
Konstantin Annikov
Created

1. Find the certificate that triggers the error. For that

    1. Open data source properties

    2. go to Advanced tab

    3. Paste this into VM Options field:  -Djavax.net.debug=ssl,handshake

    4. Set Auth to ActiveDirectoryPassword

    5. Test connection

    6. Check IDE logs (Help -> Collect logs... )

2. Install certificate on local machine (Right-click -> install -> Local machine(if you have enough permissions, otherwise - Local user).

3. Install the certificate to DataGrip Store: 

    keytool -importcert -file <path_to_DigiCert.crt> -keystore C:\Users\User\AppData\Local\JetBrains\Toolbox\apps\datagrip\<path to datagrip>\jbr\lib\security\cacerts

 

 

0
Avatar
Ilias Mouradov
Created

Hi Konstantin,

Is it possible to see what url DG is trying to connect before failing? Looking at the logs i'm not sure i can tell. Just in case i used openssl to list all certs for login.windows.net and login.microsoftonline.com ( .\openssl.exe s_client -showcerts -connect login.windows.net:443 etc), saved them into 5 sep files and installed both on local machine and into DG's cacerts but still getting the same error:


javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.339 UTC|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message (
2022-12-06 11:59:51,339 [  45653]   WARN - #c.i.e.r.RemoteProcessSupport - "EncryptedExtensions": [
2022-12-06 11:59:51,339 [  45653]   WARN - #c.i.e.r.RemoteProcessSupport - <no extension>
2022-12-06 11:59:51,339 [  45653]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,339 [  45653]   WARN - #c.i.e.r.RemoteProcessSupport - )
2022-12-06 11:59:51,339 [  45653]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.339 UTC|SSLExtensions.java:185|Ignore unavailable extension: server_name
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.339 UTC|SSLExtensions.java:185|Ignore unavailable extension: max_fragment_length
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.339 UTC|SSLExtensions.java:185|Ignore unavailable extension: supported_groups
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.339 UTC|SSLExtensions.java:219|Ignore unavailable extension: server_name
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.339 UTC|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.339 UTC|SSLExtensions.java:219|Ignore unavailable extension: supported_groups
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.339 UTC|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.340 UTC|CertificateMessage.java:1172|Consuming server Certificate handshake message (
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - "Certificate": {
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - "certificate_request_context": "",
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - "certificate_list": [
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - "certificate" : {
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - "version"            : "v3",
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - "serial number"      : "230A4CCA9C934A87B2CE1E1A42FAF08E",
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - "signature algorithm": "SHA256withRSA",
2022-12-06 11:59:51,340 [  45654]   WARN - #c.i.e.r.RemoteProcessSupport - "issuer"             : "EMAILADDRESS=certadmin@netskope.com, CN=ca.nbfc.goskope.com, OU=3e68fe04cd9c0cd5163660995dcc3e52, O=Northbridge Financial Corporation, L=TORONTO, ST=ON, C=CA",
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - "not before"         : "2022-11-05 24:04:24.000 UTC",
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - "not  after"         : "2023-12-05 24:04:24.000 UTC",
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - "subject"            : "CN=*.login.windows.net",
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - "subject public key" : "RSA",
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - "extensions"         : [
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.19 Criticality=false
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - BasicConstraints:[
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - CA:false
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - PathLen: undefined
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.37 Criticality=false
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - ExtendedKeyUsages [
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - serverAuth
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - clientAuth
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.15 Criticality=true
2022-12-06 11:59:51,341 [  45655]   WARN - #c.i.e.r.RemoteProcessSupport - KeyUsage [
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - DigitalSignature
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - Key_Encipherment
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.17 Criticality=false
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - SubjectAlternativeName [
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - DNSName: *.login.windows.net
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - DNSName: login.windows.net
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.14 Criticality=false
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - SubjectKeyIdentifier [
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - KeyIdentifier [
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - 0000: 3F 80 2E 46 0F 5A BA 87   E6 17 A6 FA 57 A2 46 96  ?..F.Z......W.F.
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - 0010: BF 58 79 63                                        .Xyc
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - }
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - ]}
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - "extensions": {
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - <no extension>
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - }
2022-12-06 11:59:51,342 [  45656]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "certificate" : {
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "version"            : "v3",
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "serial number"      : "3F4105",
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "signature algorithm": "SHA256withRSA",
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "issuer"             : "EMAILADDRESS=certadmin@netskope.com, CN=caadmin.netskope.com, OU=Cert Management, O=netSkope Inc, L=Los Altos, ST=California, C=US",
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "not before"         : "2016-09-02 08:45:03.000 UTC",
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "not  after"         : "2026-08-31 08:45:03.000 UTC",
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "subject"            : "EMAILADDRESS=certadmin@netskope.com, CN=ca.nbfc.goskope.com, OU=3e68fe04cd9c0cd5163660995dcc3e52, O=Northbridge Financial Corporation, L=TORONTO, ST=ON, C=CA",
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "subject public key" : "RSA",
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - "extensions"         : [
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.35 Criticality=false
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - AuthorityKeyIdentifier [
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - KeyIdentifier [
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - 0000: D4 3E 19 8C E0 F9 51 AD   FF 35 0E E2 9D 49 6B 50  .>....Q..5...IkP
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - 0010: EE CC A1 7E                                        ....
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - [EMAILADDRESS=certadmin@netskope.com, CN=caadmin.netskope.com, OU=Cert Management, O=netSkope Inc, L=Los Altos, ST=California, C=US]
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - SerialNumber: [    92432372 7b79a4a6]
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,343 [  45657]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.19 Criticality=false
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - BasicConstraints:[
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - CA:true
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - PathLen: no limit
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.14 Criticality=false
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - SubjectKeyIdentifier [
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - KeyIdentifier [
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - 0000: 36 44 B5 11 46 59 04 9D   51 0E DB 1C 45 4E F4 93  6D..FY..Q...EN..
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - 0010: 0A 9A 49 6D                                        ..Im
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - }
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - ]}
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - "extensions": {
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - <no extension>
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - }
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,344 [  45658]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "certificate" : {
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "version"            : "v3",
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "serial number"      : "00924323727B79A4A6",
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "signature algorithm": "SHA1withRSA",
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "issuer"             : "EMAILADDRESS=certadmin@netskope.com, CN=caadmin.netskope.com, OU=Cert Management, O=netSkope Inc, L=Los Altos, ST=California, C=US",
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "not before"         : "2013-06-19 23:21:17.000 UTC",
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "not  after"         : "2043-06-12 23:21:17.000 UTC",
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "subject"            : "EMAILADDRESS=certadmin@netskope.com, CN=caadmin.netskope.com, OU=Cert Management, O=netSkope Inc, L=Los Altos, ST=California, C=US",
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "subject public key" : "RSA",
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - "extensions"         : [
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.35 Criticality=false
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - AuthorityKeyIdentifier [
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - KeyIdentifier [
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - 0000: D4 3E 19 8C E0 F9 51 AD   FF 35 0E E2 9D 49 6B 50  .>....Q..5...IkP
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - 0010: EE CC A1 7E                                        ....
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - [EMAILADDRESS=certadmin@netskope.com, CN=caadmin.netskope.com, OU=Cert Management, O=netSkope Inc, L=Los Altos, ST=California, C=US]
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - SerialNumber: [    92432372 7b79a4a6]
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.19 Criticality=false
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - BasicConstraints:[
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - CA:true
2022-12-06 11:59:51,345 [  45659]   WARN - #c.i.e.r.RemoteProcessSupport - PathLen: no limit
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - {
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - ObjectId: 2.5.29.14 Criticality=false
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - SubjectKeyIdentifier [
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - KeyIdentifier [
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - 0000: D4 3E 19 8C E0 F9 51 AD   FF 35 0E E2 9D 49 6B 50  .>....Q..5...IkP
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - 0010: EE CC A1 7E                                        ....
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - }
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - ]}
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - "extensions": {
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - <no extension>
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - }
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - },
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - ]
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - }
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - )
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.340 UTC|SSLExtensions.java:185|Ignore unavailable extension: status_request
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.340 UTC|SSLExtensions.java:185|Ignore unavailable extension: status_request
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|DEBUG|83|pool-29-thread-1|2022-12-06 16:59:51.340 UTC|SSLExtensions.java:185|Ignore unavailable extension: status_request
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - javax.net.ssl|ERROR|83|pool-29-thread-1|2022-12-06 16:59:51.341 UTC|TransportContext.java:363|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
2022-12-06 11:59:51,346 [  45660]   WARN - #c.i.e.r.RemoteProcessSupport - "throwable" : {
2022-12-06 11:59:51,347 [  45661]   WARN - #c.i.e.r.RemoteProcessSupport - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2022-12-06 11:59:51,347 [  45661]   WARN - #c.i.e.r.RemoteProcessSupport - at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
0
Avatar
Konstantin Annikov
Created

Several strings before the message there should be some info. Could you share the whole log (Help | Collect Logs and Diagnostic Data)? You can upload to https://uploads.jetbrains.com/

0
Avatar
Ilias Mouradov
Created

Hi,

Thank you, here is upload id: 2022_12_07_CYbqsWoCCZW4XptiXvjwD4 (file: datagrip-logs-20221207-1336156546588964049937319.zip).

I've checked the logs again and it does look like it's failing to connect to login.windows.net but i'm not 100% sure.

0
Avatar
Konstantin Annikov
Created

Yes, seems it is login.windows.net

Ok, could you show the exact commands used to install the certificate into the DataGrip trust store? 

0
Avatar
Ilias Mouradov
Created

Hi,

Yeah, that's what i was afraid of. Sure, commands are

1 Show all certs:
.\openssl.exe s_client -showcerts -connect login.windows.net:443

2 Then for each block that starts and ends with -----... save it in sep file and add to cacerts:
 'C:\Program Files2\JetBrains\DataGrip 2022.3\jbr\bin\keytool.exe' -importcert -trustcacerts -file "C:\Program Files2\MS certs\dg_login1.crt" -keystore "C:\Program Files2\JetBrains\DataGrip 2022.3\jbr\lib\security\cacerts" -alias dg1

3 Then right click, install cert for Local machine etc.

0
Avatar
Ilias Mouradov
Created

Hi,

Definitely something broken in DataGrip it looks like, just tried Dbeaver and it can connect no problem either using interactive mode (via browser) or using login/password. And from what i understand Dbeaver is also using java driver to connect to Azure SQL DB.

0
Avatar
Ilias Mouradov
Created

Yeah, this is weird. Just created a test Azure SQL server in my own sub, set up AD access and  DG was able to connect no problem using AD user/password method, no issues whatsoever.

So it only fails when trying to connect to the one that is in org's subscription. I don't have any access to that one, so have no idea what they did with it to give DG so much trouble. And i won't be able to change their config anyway even if i wanted to.

However the fact remains that DBeaver can connect no problem so i guess it's still fair to say that there is some bug in DG's implementation. 

0
Avatar
vasily chernov
Created

Ilias Mouradov,

It's strange. So, could you create a new data source for your org's subscription server. And make sure you set encrypt to false on data source's Advanced tab. Microsoft changed a default driver behavior recently.

 

0
Avatar
Ilias Mouradov
Created

Hi,

Noticed that there was an update available for DG so i went ahead and did it.

I guess i should mention that the first error that i get when i create a new connection with dummy usernmame/password with Azure AD auth and real azure db url is this:

DBMS: Azure SQL Database (no ver.)
Case sensitivity: plain=mixed, delimited=exact
[08S01] The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Failed to validate the server name "*.database.windows.net"in a certificate during Secure Sockets Layer (SSL) initialization. Name in certificate "*.secondary.public.xxx.database.windows.net"". ClientConnectionId:4e00c27f-1d45-4711-9e93-d0ca92b0dfda
Failed to validate the server name "*.database.windows.net"in a certificate during Secure Sockets Layer (SSL) initialization. Name in certificate "*.secondary.public.xxx.database.windows.net".

DBeaver doesn't have such error.

The way i "fix" it is i have to go to Advanced Options and set hostNameInCertificate property to be exactly the same as azure db url (by defualt it was set to '*.database.windows.net' by DataGrip). 

Then... it worked :) First it complained about not being able to auth the user in Azure AD which made total sense cause it was dummy login and then after fixing it it connected just fine. Didn't even have to set encrypt to false.

Maybe update fixed it? Who knows :) I'll see if it continues working for a bit but looks promising.

1

Please sign in to leave a comment.