Failed to connect to Azure SQL Database using ODBC Driver 17 with ActiveDirectoryMsi: Required metadata header not specified or not correct

Question

Failed to connect to Azure SQL Database using ODBC Driver 17 with ActiveDirectoryMsi: Required metadata header not specified or not correct

xbai15 5

Hi,

I was trying to connect the Azure Container Instance to my Azure SQL Database using Azure Active DIrectory User Managed Identity. But I can't establish a connection using ODBC Driver 17.

Error Message:

[S1T00][unixODBC][Microsoft][ODBC Driver 17 for SQL Server]Login timeout expired

[FA004][unixODBC][Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Failed to authenticate the user '' in Active Directory (Authentication option is 'ActiveDirectoryMSI').
Error code 0xA190; state 41360
Required metadata header not specified or not correct
Required metadata header not specified or not correct
Required metadata header not specified or not correct
Required metadata header not specified or not correct

[CE275][unixODBC][Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Error requesting access token, HTTP status 400, expected 200

[08001][unixODBC][Microsoft][ODBC Driver 17 for SQL Server]TCP Provider: Timeout error [258]. 

[08001][unixODBC][Microsoft][ODBC Driver 17 for SQL Server]Unable to complete login process due to delay in login response

Configuration Details:

The ODBC driver used in the docker image has a version of 17.10.5.1-1,
The identity has been assigned to the container instance and is set as an external user of the database in table [sys.database_principals]
The identity is set as a contributor to the database.
Network connectivity from the Azure Container Instance to the SQL Server has been checked and confirmed.
The DNS configuration according to Using Azure Active Directory with the ODBC Driver

[dns-name]
Driver=ODBC Driver 17 for SQL Server
Server=<server-name>
Database=<database-name>
UID=<object id of the assigned identity>
Authentication=ActiveDirectoryMsi
Encrypt=yes

Could anyone help identify the cause of these errors or suggest troubleshooting steps? Any insights or suggestions would be greatly appreciated.

1 answer

Your answer

Answer 1

Amira Bedhiafi 33,071 Volunteer Moderator

The problem is how the SQL Server uses or recognizes Active Directory Managed Service Identity (MSI).

Make sure that your authentication method (ActiveDirectoryMsi) is correctly set up in both the Azure Container Instance and the SQL Server configurations.

Also you need the Managed Identity has the necessary permissions on the SQL Server. It should have the correct roles and permissions assigned to access the database.

Here are some threads :

https://stackoverflow.com/questions/46681021/can-not-connect-to-azure-sql-server-using-active-directory-integrated-authentica

https://learn.microsoft.com/en-us/answers/questions/1383555/managed-identity-authentication-from-synapse-noteb

xbai15 5 Reputation points

2023-11-12T21:53:13.6866667+00:00

Hi Amira,

Thank you for taking the time to answer my question!

For debugging purposes, I was able to establish a connection using MSI authentication between the SQL server and an ACI using the go-mssql driver with an additional Azuread package. Also I used the sqlcmd provided by the go-mssql driver to perform DDL/DML command on my database.

Both containers using ODBC driver and go-mssql driver are assigned with the same user-managed Identity. So does this rule out the concern that Managed Identity does not have the necessary permissions or that the MSI is not configured correctly on both the ACI and SQL server?

Based on what I have gathered I'm leaning more toward the possibility that the issue is with the configuration of the ODBC driver, I read about Kerberos in these articles:

https://learn.microsoft.com/en-us/sql/connect/odbc/linux-mac/using-integrated-authentication?view=sql-server-ver16

https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-kerberos

But I'm not sure if Kerberos is necessary for this MSI authentication.
Amira Bedhiafi 33,071 Reputation points Volunteer Moderator

2023-11-15T17:37:52.85+00:00

Based on your successful connection using the go-mssql driver with an additional Azuread package and the ability to perform database operations with sqlcmd, it does seem likely that the Managed Identity is correctly configured and has the necessary permissions. This success effectively rules out issues with Managed Identity permissions or configuration as the primary cause of your problems with the ODBC driver.

Share via

Failed to connect to Azure SQL Database using ODBC Driver 17 with ActiveDirectoryMsi: Required metadata header not specified or not correct

Error Message:

Configuration Details:

1 answer

Your answer