-
Title
"Authentication was requested but the required DDJDBCx64Auth05.dll was not found on the path specified by the java.library.path system property." -
Description
SQL Server agent log files display the following error
com.dell.dsgi.jdbc.sqlserverbase.dden: [Foglight][SQLServer JDBC Driver]NTLM (type-2) Authentication was requested but the required DDJDBCx64Auth05.dll was not found on the path specified by the java.library.path system property.
This may cause SQL Server agents not to added using Windows Authentication. A message in the installer log similar to the following may be found
[AGENTNAME], user account [DOMAIN\USER] . Reason : [[Foglight][SQLServer JDBC Driver]Unknown error code:HY001:NTLM authentication failed due to insufficient memory- Profile:MSSQLProfile{host='HOSTNAME', instance= 'INSTANCENAME', username='DOMAIN\USER', authType= 'WINDOWS_CUSTOM', port= '0' useNTLMv2= 'true', socketTimeout= '900', secureConnection= 'REQUEST' }]. . [SQL-Server Error Code = 0. SQL state : HY000]The SQL Server JDBC command line mssql-connection-test is successful using a SQL Server account (e.g. 'sa').
-
Cause
DataDirect 3rd party SQL Server driver issue. Root cause of the specific error is unknown. Refer to Progress KB Article ID 000167326 - "'DDJDBCAuth05.dll already loaded in another classloader' when starting Sonic with the Connect for JDBC SQL Server driver" for more details.
Starting from Cartridge for SQL Server 5.9.7.23, we ship both Progress DataDirect for JDBC for SQL Server driver (DD driver) and Microsoft JDBC Driver for SQL Server. The default is the Microsoft driver but we have an optional parameter to force using the legacy DataDirect driver. Microsoft JDBC driver is not affected by this issue.CAUSE 1
Two DataDirect 3rd party DLL files used for authentication are missing.
CAUSE 2
A contributing factor has been found that when a user belongs to many groups, that user may have problems with authentication or with Group Policy settings. This is detailed in Microsoft KB Article ID 327825 - "Problems with Kerberos authentication when a user belongs to many groups".
CAUSE 3
Issue stating the DLL path.
CAUSE 4
Database connection is using Windows Default Account Authentication on Unix.
CAUSE 5
Unknown Windows Default Account connection issue
-
Resolution
The preferred solution is to upgrade SQL Server cartridge to a supported version which already uses Microsoft JDBC driver by default. This may also require to remove the optional parameter to force using DataDirect driver.
WORKAROUND 1Add the following two missing files
- DDJDBCAuth05.dll
- DDJDBCx64Auth05.dll
To the Foglight SQL Server agent library on the Foglight Agent Manager in
{Foglight Agent Manager install location}\agents\DB_SQL_Server\{version number}\lib
WORKAROUND 2
To determine the Access Token Size on some of the hosts affected.
The Access token size in bytes can be estimated by using the following formula:
[12 x number of user rights] + [token overhead] + [44 x number of group memberships] = token size in bytes- User rights include rights such as "Log on locally" or "Access this computer from the network." The only user rights that are added to an access token are those user rights that are configured on the server that hosts a secured resource. Most Exchange Server users are likely to have only two or three user rights on the Exchange server. Administrators may have dozens of user rights. Each user right requires 12 bytes to store it in the token.
- Token overhead includes multiple fields such as the token source, expiration time, and impersonation information. For a typical domain user who has no special access or restrictions, token overhead is likely to be between 400 and 500 bytes. Typically, estimating 500 bytes for both user rights and token overhead is more than sufficient.
- Each group membership adds the group SID to the token together with an additional 16 bytes for associated attributes and information. The maximum possible size for a SID is 68 bytes. However, it is rare for a SID to be this large. In Windows Server 2003 and in earlier versions of Windows, the typical SID for a user or a group is 28 bytes in length. Therefore, each security group to which a user belongs typically adds 44 bytes to the user's token size.
Group nest can also factor into the calculation as described in archived Microsoft KB Article ID 912376 - "How to monitor and troubleshoot the use of paged pool memory in Exchange Server 2003 or in Exchange 2000 Server"
To increase the MaxTokenSize on affect hosts
To allow a user to be a member of more groups, users can increase the size of the MaxTokenSize by modifying the following registry key on the remote server as described in a Microsoft KB blog - "MaxTokenSize and Kerberos Token Bloat" or using a group policy as described in Microsoft KB Article ID 938118 - "How to use Group Policy to add the MaxTokenSize registry entry to multiple computers".
Note: Support does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft KB Article ID 256986 “Description of the Microsoft Windows registry” at Microsoft Support.
WORKAROUND 3
Test the connection using the MSSQL connection test with Windows Authentication and fix any PATH issues.
WORKAROUND 4
Windows Default Authentication does not exist on Unix.
WORKAROUND 5
Use a Windows Custom Account instead of a Windows Default Account.
STATUS
FOG-1316 has been added in SQL Server cartridge 5.9.7.23 to replace the default third party DataDirect SQL Server JDBC driver with a Microsoft SQL Server JDBC driver.