Troubleshooting
Problem
In an existing datasource that's functioning and scanning. We're currently using a SQL user account 'Username'. This is a violation of CIS benchmarks, so we would like to change to a windows domain account.
Problem 1 Error Message:
When setting up a new datasource to enable scanning on a newly added server. When we try to use a domain account a validate and scan returns the following authentication error:
Could not connect to: 'jdbc:guardium:sqlserver://xxx.xxx.xxx.xxx:1433;CryptoProtocolVersion=TLSv1,TLSv1.1,TLSv1.2' for user: 'ABCD-5_MS SQL SERVER(Classifier)'. DataSourceConnectException: Could not connect to: 'MS SQL SERVER ABCD-5 /xxx.xxx.xxx.xxx:1433' for user: 'Guardium'. Exception: com.ibm.guardium.sqlserver.jdbc.base.fv: [guardium][SQLServer JDBC Driver][SQLServer]Login failed for user 'Guardium'.
Resolution:
Please, specify the domain name in the Connection properly field of the Datasource Definition. See the information below taken from this link
MS SQL Server (DataDirect) - https://www.ibm.com/docs/en/guardium/11.5?topic=datasource-ms-sql-server-datadirect
Properties that must be included in the JDBC URL to establish a JDBC connection with the datasource. The required format is property1=value;property2=value, where each property and value pair is separated by a semicolon.For examples, refer to the database vendor's JDBC documentation.
For example,
Where:
- domain_name is the name of the domain server. If the driver cannot determine the domain name, the connection fails and produces an error.
- AuthenticationMethod determines the authentication method that the driver uses when a connection is established. If the authentication method is not supported by the database server, the connection fails and produces an error.
The following values for AuthenticationMethod are valid:
- ntlm
- ntlmjava
- ntlm2java
For Windows authentication, use the following property:To use NTLMv2 for Windows authentication, use the following property:
Problem 2 Error Message:
Exception: com.ibm.guardium.sqlserver.jdbc.base.fv: [guardium][SQLServer JDBC Driver][SQLServer]Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
Explanation:
When you get this error from the SQL Server DataDirect source. This happen when you are trying to connect to a SQL Server using encrypted connection (TLS/SSL) as a domain user. The same connection on a SQL Server local user work however only domain user has this error in the JDBC connection. In the datasource connection property for SQL Server make sure you have something like this “domain=domain_name;AuthenticationMethod=ntlm2java;encryptionMethod=SSL;validateServerCertificate=false”
Resolution:
Make sure at the Windows Active directory for this user. This domain user can login to all computers.
1. check if the SQL account is added to “Access this computer from network” Policy under
Local Security Policy -> Local Policies -> User Rights Assignment -> Access this computer from network.
2. Check the LogOnTo under the Account Tab in the User properties in Active Directory Users and Computers
1. check if the SQL account is added to “Access this computer from network” Policy under
Local Security Policy -> Local Policies -> User Rights Assignment -> Access this computer from network.
2. Check the LogOnTo under the Account Tab in the User properties in Active Directory Users and Computers
Slight caveat.
“LogOnTo under the Account Tab in the User properties in Active Directory Users and Computers” Needs to be blank or at least include the computer being scanned if entries are there. Microsoft recommends NOT to use this field based on:
User-Workstations attribute - https://learn.microsoft.com/en-us/windows/win32/adschema/a-userworkstations
“check if the SQL account is added to “Access this computer from network” Policy under Local Security Policy -> Local Policies -> User Rights Assignment -> Access this computer from network.” So for us, we did not need to explicitly name our Guardium account in this policy. We have, “Authenticated Users” and Administrators on ours which seems to work for us. In other words, we believe this permission doesn’t have to be explicit rather implicit through group membership.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001h0MAAQ","label":"LDAP"}],"ARM Case Number":"TS014293678","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 November 2023
UID
ibm17084052