Tedious: Windows Authentication requires specifying username/password

I investigated this some. What I've learnt so far is that support for Windows Integrated Authentication uses SSPI and NodeJS currently does not support SSPI. There is a node-sspi npm package but that only has support for server side. Also it only works for a HTTP server. It's a native implementation with JavaScript binding. Client side SSPI implementation would also need to be native code with JavaScript bindings.

My proposal is to build a client side SSPI support in a new npm package with an API that's suitable for consumption by Tedious and have Tedious take a dependency on the package for SQL Server Windows Integrated Auth.

Would appreciate any thoughts. Thanks.

Yup, that sounds reasonable. I don't think the binary module should be part of tedious, so 👍 on the idea of having it as a separate npm module.

Cool. First cut will likely have support only for Windows. Are we ok with a Windows only feature to start with?

Windows and Linux have different API for supporting Windows Integrated Authentication. We should be able to build support for both platforms into one package. But wondering if there is precedent for dependencies on different packages for Windows vs Linux.

Cool. First cut will likely have support only for Windows. Are we ok with a Windows only feature to start with?

Yes, that's fine. I imagine this will be an optional feature, so only supporting Windows at first is fine. 👍

I'm sharing a short snippet using the ClientSspi class interface I have in mind. Please share any feedback on the shape of the API.

ClientSspi = require('ClientSspi');

serverName = 'servername.example.com';

// Server name should be the only configuration. Windows SSPI APIs will get
// the tokens to be presented to the server to authenticate the logged in user.
clientSspi = new ClientSspi(serverName);

// authprotocol parameter can take three values.
// Negotiate, Kerberos, Ntlm
// Negotiate: With this option client will negotiate with the server
// on security protocol using SPNEGO.
//
// If nothing is specified, the first supported protocol will be used. The
// protocols will be attempted in the sequence listed above.
clientSspi.initialize(authprotocol, function(errorCode, errorString) {
  if (errorCode || errorString) {
    throw('SSPI intialization failed: ', errorCode, ': ', errorString);
  }

  var sspiServerResponse = new Uint8Array([]);
  var sspiDone = false;

  while (!sspiDone) {
    // This call gets the next set of bytes to send to the server as part of the
    // SSPI dance.
    clientSspi.getNextSspiBlob(sspiServerResponse, function (sspiClientResponse, isDone, errorCode, errorString) {
      if (errorCode || errorString) {
        throw('SSPI intialization failed: ', errorCode, ': ', errorString);
      }

      sspiDone = isDone;

      // This function will send the sspiClientResponse to the server and invokes the
      // callback when the response from the server becomes available.
      SendSspiBlobToSqlServerAndGetResponse(sspiClientResponse, function (serverResponse, errorString) {
        if (errorString) {
          throw(errorString);
        }

        sspiServerResponse = serverResponse;
      });
    });
  }
});

I have a stub implementation of the API at https://github.com/tvrprasad/sspi-client.

@arthurschreiber Please make a quick pass when you get a chance. Send me any feedback or open issues against the repository. Once I fill in the implementation, I plan to use that to implement Windows Integrated Authentication in Tedious.

I threw something together to integrate sspi-client to tedious and see if it works and it does! I was able to connect using ntlm, kerberos and negotiate security packages without specifying password!

@arthurschreiber you can find the hack here. This is not ready for PR by any means, but let me know if you see issues at a high level.
https://github.com/tvrprasad/tedious/tree/windows-integrated-auth-draft

Reopening this issue to track Windows integrated auth till it's made pluggable, more detail in https://github.com/tediousjs/tedious/commit/f5a2260f.

@v-suhame what's the latest with this? Are you just waiting on #624?

Is there anything I can do to help get it moving?

@kevinkuszyk Thanks for the offer to help 😃 Looping in @arthurschreiber to get latest update.

Is windows integrated authentication on Linux server available now?

@sxpati2 Windows integrated authentication, as the name suggest is juts for Windows OS. For Linux it would be Kerberos Integrated auth. Tedious currently doesn't support Windows or Kerberos integrated auth, it is in our future plan.

I'd just like to check in on this. It seems like there's been a major refactor. Is there a way that I can just loop msnodesqlv8 into tedious? I thought msnodesqlv8 would just drop into sequelize but it didn't.

@arthurschreiber It looks like the PR #497 Windows Integrated Authentication was merged that allows window authentication without needing username/password, but I can't seem to find that anymore in the latest tedious version. Just wondering what happened to that feature?

Has the situation changed since then ? Or has that feature been temporarily lost in the refactor ?

Has the situation changed since then ? Or has that feature been temporarily lost in the refactor ?

I'd love to know as well!

Greetings, what is the word with this feature? thanks!