Share via

Azure Container Apps → Azure PostgreSQL Flexible Server bağlantısı: “authentication exchange unsuccessful”

RIDVAN EYYUPKOCA 0 Reputation points
2025-11-07T18:22:16.1566667+00:00

I’m running Kong 3.9.1 in Azure Container Apps and trying to connect it to an Azure PostgreSQL Flexible Server, but Kong fails during startup with: “[PostgreSQL error] failed to retrieve PostgreSQL server_version_num: authentication exchange unsuccessful.” The DB is public (All networks). Connection settings are standard (host: mypostgresql.postgres.database.azure.com, db: kong, user: kong, SSL enabled with verification temporarily off). I’ve ensured the kong role exists, made it the owner of the kong database, granted CREATE on the public schema (and also tried transferring schema ownership), installed pgcrypto as admin, and reset the password (SCRAM). I also attempted a psql test from inside the container with sslmode=require. Is there any known issue with SCRAM/TLS handshake or SNI between Azure Container Apps and Azure PostgreSQL Flexible Server that could cause this, and what additional diagnostics or configuration changes would you recommend to resolve the “authentication exchange unsuccessful” error?

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-07T18:22:37.98+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error message "authentication exchange unsuccessful" typically indicates issues with the authentication method being used between your application (Kong) and the Azure PostgreSQL Flexible Server. Here are some considerations and steps you can take to troubleshoot this issue:

    1. SCRAM Authentication: Ensure that your PostgreSQL server is configured to support SCRAM authentication. If the server is set to use MD5 or another method, it may not work with SCRAM. You can check the pg_hba.conf configuration to confirm the authentication methods allowed.
    2. SSL Configuration: Since you mentioned that SSL is enabled with verification temporarily off, ensure that the SSL settings are correctly configured. You might want to try connecting with SSL verification enabled to see if that resolves the issue. The connection string should specify sslmode=require or sslmode=verify-full depending on your security requirements.
    3. Network Configuration: Since the database is public and accessible from all networks, ensure that there are no firewall rules or network security groups blocking the connection from your Azure Container Apps to the Azure PostgreSQL Flexible Server.
    4. Database Role and Permissions: Double-check that the kong role has the necessary permissions to connect to the kong database. You mentioned that you granted CREATE on the public schema, but also ensure that the role has connection privileges.
    5. Testing Connection: Since you attempted a psql test from inside the container, ensure that the command used matches the connection parameters you are using in Kong. If possible, try connecting with a simpler client to rule out issues specific to Kong.
    6. Logs and Diagnostics: Review the PostgreSQL logs for any additional error messages that may provide more context on the authentication failure. You can also enable detailed logging in Azure for more insights.

    If the issue persists after these checks, consider reaching out to Azure support for further assistance, as they may have more specific insights regarding the interaction between Azure Container Apps and Azure PostgreSQL Flexible Server.

    References:

    0 comments
  2. Pashikanti Kumar 1,725 Reputation points Microsoft External Staff Moderator
    2025-11-08T00:20:21.4166667+00:00

    Hi RIDVAN EYYUPKOCA,

    Thanks for reaching out on Microsoft Q&A

    The issue of "authentication exchange unsuccessful" from Azure Container Apps to Azure PostgreSQL Flexible Server often relates to authentication and network configuration problems rather than the specific app like Kong.

    Key points to address:

    1.Managed Identity Authentication:

    If you are using Azure AD/Entra ID Managed Identity for authentication, confirm that the Container App has a system-assigned or user-assigned managed identity enabled.

    Ensure this identity is properly granted access to the PostgreSQL Flexible Server and that PostgreSQL is configured to accept Azure AD authentication.​

    2.Password and SCRAM Authentication:

    If using password authentication, confirm the password is SCRAM-SHA-256 hashed, and the client library in the Container App supports that authentication method.​

    Password authentication failure or SSL misconfiguration can also cause the "authentication exchange" error.

    3.SSL and Network Configuration:

    Confirm SSL settings are correct: SSL is enabled, and the client connecting from Container App supports SNI (Server Name Indication) during TLS handshake which PostgreSQL Flexible Server requires.​

    Check firewall rules and VNET settings. Ensure the Container App has network access to the database server, and that no firewall or NSG is blocking the connection.

    Reference

    Connect with Managed Identity - Azure Database for PostgreSQL | Microsoft Learn

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.