Connecting to SQL Server using NT Account name

meo1996 · October 21, 2022, 5:33pm

I am having trouble connecting to a SQL Server database and was hoping to get some assistance with troubleshooting the issue. I read around previous topics on this issue, and it seemed there were varying solutions ranging from using a Kerberos configuration or creating a SQL User.

While creating a SQL User would be the quick and easy solution, we are not allowed to create SQL Users due to company policy.

Now for the facts that I do have on my case.

Our DBAs currently see the following issue when we attempt to connect to their database.
Login failed for user 'DOMAIN\username'. Reason: Attempting to use an NT account name with SQL Server Authentication. [CLIENT: ##.##.###.##]

Their server and database includes:
Microsoft SQL Server 2016 (SP3) 13.0.6300.2 (X64)
Windows Server 2016 Standard 10.0 (HyperVisor)

Now on the Metabase side, we have tried several additional JDBC connection string modifiers with varying failure messages.
When I've specified the authenticationScheme=NTLM;, I get the following error:
Login failed for user 'DOMAIN\username'. ClientConnectionId:###-###-###
This also generates the previous authentication error on the DBA side.

When specifying integratedSecurity=true: I receive the following error instead.
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Lastly, here's info about our Metabase instance.

  "browser-info": {
    "language": "en-US",
    "platform": "Win32",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.47",
    "vendor": "Google Inc."
  },
  "system-info": {
    "file.encoding": "UTF-8",
    "java.runtime.name": "Java(TM) SE Runtime Environment",
    "java.runtime.version": "1.8.0_121-b13",
    "java.vendor": "Oracle Corporation",
    "java.vendor.url": "http://java.oracle.com/",
    "java.version": "1.8.0_121",
    "java.vm.name": "Java HotSpot(TM) 64-Bit Server VM",
    "java.vm.version": "25.121-b13",
    "os.name": "Linux",
    "os.version": "3.10.0-1160.71.1.el7.x86_64",
    "user.language": "en",
    "user.timezone": "America/New_York"
  },
  "metabase-info": {
    "databases": [
      "sqlserver",
      "sqlite",
      "mysql"
    ],
    "hosting-env": "unknown",
    "application-database": "h2",
    "application-database-details": {
      "database": {
        "name": "H2",
        "version": "1.4.197 (2018-03-18)"
      },
      "jdbc-driver": {
        "name": "H2 JDBC Driver",
        "version": "1.4.197 (2018-03-18)"
      }
    },
    "run-mode": "prod",
    "version": {
      "tag": "v0.41.5",
      "date": "2021-12-16",
      "branch": "release-x.41.x",
      "hash": "fbfffc6"
    },
    "settings": {
      "report-timezone": "US/Eastern"
    }
  }
}```

flamber · October 21, 2022, 5:48pm

Hi @meo1996
If your domain is MYDOMAIN, then you need to include that separately, so something like this:
integratedSecurity=true;authenticationscheme=NTLM;domain=MYDOMAIN;
And you only input the username in the Username field (without domain)
https://learn.microsoft.com/en-us/sql/connect/jdbc/using-ntlm-authentication-to-connect-to-sql-server?view=sql-server-ver16

I don't have Windows systems anymore, but that was what I used to do a long time ago if I remember correctly. If it doesn't work, then I'm not sure.

You should upgrade to a newer release, and migrate away from H2 if you're using Metabase in production.

meo1996 · October 21, 2022, 6:52pm

Seems like modifying the domain was the trick. Not sure why including the domain in the jdbc wasn't something I thought about before, but it worked. Thanks!