-
Title
"Untrusted domain" error when adding a new agent to a SQL Server PI Repository -
Description
When attempting to add a SQL PI extension to a SQL Server PI repository database Active Directory (AD) Windows authentication, a message stating at the domain service account failed to connect from an untrusted domain and cannot be used with integrated authentication appears.
[Foglight][SQL Server JDBC Driver][SQLServer]Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
-
Cause
There is a known issue in SQL Server JDBC driver:Question: https://github.com/microsoft/mssql-jdbc/issues/1180Fix Ticket: https://github.com/microsoft/mssql-jdbc/pull/1184The Microsoft SQL Server driver doesn't support the "Send NTLMv2 response only" option in SQL Server in 7.4.1 JDBC driver.The NTML setting can be configured in following places:Policy LocationComputer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Registry LocationHKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevelIn the latest 8.2 JDBC driver, Microsoft has fixed this.
-
Resolution
CAUSE 1 NTLM Security
WORKAROUND
Turn off NTLMv2 session security
Users can restrict and/or disable NTLM authentication via Group Policy. It's located in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, and the options are listed as "Network Security: Restrict NTLM:"
STATUS
This issue has been logged as PIFOG-692 and has been fixed in the 5.9.5.15 and higher releases of the SQL Server and Oracle cartridges.
The latest version of the 5.9.5.16 cartridge can be downloaded from KB 289910.
CAUSE 2 Port blocked
Ensure that the SQL Server connection port is open on any firewalls between the FMS, FglAM, and SQL Server repository server.
-
Defect ID
PIFOG-692