3

I am using integrated security with TeraData and ASP.NET MVC3. I am getting the exception below when trying to open a connection. Is there something I need to do to convert the token into something that will be acceptable?

Server Error in '/' Application. The NTLM authentication token is not supported. ErrorCode: -452984668 Severity: Error Facility: DotNet Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Teradata.Net.Security.TdgssException: The NTLM authentication token is not supported. ErrorCode: -452984668 Severity: Error Facility: DotNet

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[TdgssException: The NTLM authentication token is not supported. ErrorCode: -452984668 Severity: Error Facility: DotNet] Teradata.Net.Security.Mechanisms.SPNEGOSession.AuthenticateAsClientImplementation(TdgssAuthenticationTokenExchange tokenAuthenticationExchange, String credential, String targetName) +4506 Teradata.Net.Security.Mechanisms.Session.AuthenticateAsClient(TdgssAuthenticationTokenExchange tokenAuthenticationExchange, String credential, String targetName) +159 Teradata.Client.Provider.WpSecurityManager.Action() +134

[TdException (0x80004005): [TeraGSS Security Library] [115022] Exception occurred in TERAGSS layer. See inner exception for details.] Teradata.Client.Provider.WpSecurityManager.Action() +268 Teradata.Client.Provider.WpSession.Open(Int32 connectionTimeout, String password) +2258 Teradata.Client.Provider.Connection.Open(UtlConnectionString connectionString, UInt32 timeout) +1028 Teradata.Client.Provider.ConnectionPool.CreateConnection(UInt32 timeout) +53 Teradata.Client.Provider.ConnectionPool.GetConnectionFromPool(Object owningObject) +820 Teradata.Client.Provider.ConnectionFactory.GetConnection(Object owningObject, UtlConnectionString connStr) +842 Teradata.Client.Provider.TdConnection.Open() +172 ProductDevelopmentRequestSystem.Data.AMAPS.MaterialRepository.get_Connection() +389 ProductDevelopmentRequestSystem.Data.AMAPS.MaterialRepository.GetSuffixPlantMapping() +107 ProductDevelopmentRequestSystem.Reports.Supply.SupplyDataLogic.GetAmapsPlantMappings() +114 ProductDevelopmentRequestSystem.Reports.Supply.SupplyDataLogic.GetData(SupplyReportData data) +120 ProductDevelopmentRequestSystem.Reports.Supply.SupplyReportLogic.Generate(SupplyReportData data) +115 ProductDevelopmentRequestSystem.Controllers.SupplyAndDemandController.Index(SupplyAndDemandViewModel model) +1836 lambda_method(Closure , ControllerBase , Object[] ) +127 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +274 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +39 System.Web.Mvc.<>c_DisplayClass15.b_12() +120 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +637 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +307 System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +720 System.Web.Mvc.Controller.ExecuteCore() +162 System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +305 System.Web.Mvc.<>c_DisplayClassb.b_5() +62 System.Web.Mvc.Async.<>c_DisplayClass1.b_0() +15 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +606 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18055

Greg Finzer
  • 6,714
  • 21
  • 80
  • 125
  • Could it be that IIS is only configured for Kerberos and not including Ntlm? See link to switch Ntlm on: http://support.microsoft.com/kb/215383 –  Dec 06 '13 at 18:23
  • Is NTLM supported on the Teradata instance using tools like Teradata's SQL Assistant using ODBC/.Net Provider or Studio Express using JDBC? – Rob Paller Dec 10 '13 at 16:23
  • 1
    I am able to connect locally using integrated security and RazorSQL. I am also able to connect locally using integrated security and Visual Studio 2010 when running the web project. It is only when I deploy to the dev server. It is almost like TeraData doesn't like the ASP.NET impersonation. I don't know how to make it real. – Greg Finzer Dec 12 '13 at 12:48
  • Were you able to solve this? – Dennis Mar 14 '14 at 20:02
  • @Mr.White We ended up creating a user account for TeraData instead of using integrated authentication. The integrated authentication never worked. – Greg Finzer Mar 14 '14 at 20:35

2 Answers2

0

Looks like the same question was posted on the Teradata forums. They were asked if Integrated Authentication was in use. If it was, a bug would need to be filed because this points to a failure of Kerberos failing back to NTLM. If Integrated Authentication wasn't needed, the connection string needed to be updated.

There was no response.

I presume this means it's a common double-hop issue which would be solved by getting a correct implementation of Kerberos running or changing the connection string to use an explicit account.

Community
  • 1
  • 1
Erik Noren
  • 4,279
  • 1
  • 23
  • 29
  • Oddly this issue is not present when running an application on my local machine using IIS Express. I'm able to use single-sign on which then uses the connection string with "integrated-security:true" to connect to Teradata. However once the website is deployed to a non-local server which runs IIS 7.x single sign-on implodes on itself.. :( – Dennis Mar 17 '14 at 03:38
  • In your local environment, you're not double-hopping. Your machine is trusted to your machine. You only go one more hop out to your database. When deployed, you're hopping from your client to your web server which, if it isn't trusted to pass along your credentials via kerberos, your security context dies there. Your database connection tries to pass on this invalid context and you get your exception. – Erik Noren Mar 17 '14 at 05:08
  • If it's a double-hop issue, it's easy to test. Put credentials in your connection string. If that fixes the issue, it's double hop. If it doesn't, it's some other problem. Of course I've never used Single Sign On so I'm not sure if this is the same as integrated authentication issues but it's at least some place to start. – Erik Noren Mar 17 '14 at 05:14
  • It is a double hop issue, static credentials (not single sign on) work. – Dennis Mar 17 '14 at 06:31
  • "The NTLM authentication token is not supported" Isn't this an indicator basically saying IIS is trying to use NTLM instead of Kerberos? – Dennis Mar 17 '14 at 20:34
  • The Teradata forum said if Kerberos fails, the default is to fall back to NTLM. Which in this case sounds insufficient for what you need. – Erik Noren Mar 17 '14 at 20:51
0

IF your resource is on a different server to IIS (or the config files think it is, try swapping the name to the IP address of the resource your trying to access) then your likely getting a double hop issue, and NTLM will be used to authenticate unless your resource is on a server that is setup for Active directory delegation. In short NTLM will never succeed, you need to use delegation and Kerberos will see http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx

fuzzybear
  • 2,325
  • 3
  • 23
  • 45