cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AAD auth failure caused by TLS 1.0,1.1 + PKCS disable
By
nora01
Published Mar 22 2022 03:23 AM 5,299 Views
nora01
Microsoft
‎Mar 22 2022 03:23 AM

AAD auth failure caused by TLS 1.0,1.1 + PKCS disable

‎Mar 22 2022 03:23 AM

Issue description:

While connect to a Azure SQL database via AAD Integrated/Password authentication, fail with below error:

Client: Azure VM (SSMS).  SQL authentication works normally.

nora01_0-1647942844669.png

Error message:

Cannot connect to xxx.database.windows.net.

===================================

One or more errors occurred. (mscorlib)

------------------------------

Program Location:

at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)

at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)

at System.Threading.Tasks.Task.Wait()

at System.Data.SqlClient.SqlInternalConnectionTds.GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)

at System.Data.SqlClient.SqlInternalConnectionTds.OnFedAuthInfo(SqlFedAuthInfo fedAuthInfo)

at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)

...

The attempt to connect to the server failed. (System.Data)

 

Analysis:

Azure SQL database side shows error 33155 state 1 which means client failed to get an AAD token.

 

Network trace shows:

After client VM performed TCP handshakes with AAD endpoint(20.190.154.19 in the below diagram), client VM didn't send a TLS hello packet, but sent a Fin packet to terminate the connection:

nora01_5-1647941561955.png

 

Test with sqlcmd, udl -> Failed to authenticate the user 'xxx'      "Error code 0xCAA82EFD; state 10" 

nora01_2-1647941447006.png

 

System event log shows: a fatal error occurred while creating a TLS credential

nora01_3-1647941447008.png

 

Schannel registry:

KeyExchangeAlgorithms(PKCS) is disabled

SSL 3.0 and TLS 1.2 is enabled

TLS 1.0, 1.1 is disabled

==================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS

    Enabled    REG_DWORD    0x0

==================

 

Cause:

On Windows Server version 1709 Windows Server version 1803 Windows Server version 1809 Windows Server version 1903 Windows Server version 1909 Windows Server 2019, when TLS 1.2 is enabled and TLS 1.1 and lower is disabled, Key Exchange Algorithms PKCS is required.

 

Solution:

enable PKCS or enable TLS 1.0, 1.1 on client machine (Azure VM in this example)

 

 

Co-Authors
Version history
Last update:
‎Mar 22 2022 07:42 PM
Updated by: