Hello Seniors, Hope all is well.

We are in phase of implementing Guardium Vulnerability Assessment in MS SQL DB Servers, we created the login and executed the SQL script given my IBM Support , so, in some of MS SQL Servers we were able to create the data source and were able to perform the VA tests,

however, in few MS SQL Servers we are getting an authentication error/exception while testing the data source for VA. As mentioned below. Note that, I have replaced exact IP add. with just IP character.

Please note that, the Login is available on Active Directory so in  MS SQL Instance it is authenticated by AD, also, we checked on MS SQL Instance authentication is set as "Mixed Mode". 

Could not connect to: 'jdbc:jtds:sqlserver://IP:1433' for user: 'MSSQL_MSSQLSERVER_1433__MS SQL SERVER(Security Assessment)'. DataSourceConnectException: Could not connect to: 'MSSQL_MSSQLSERVER_1433__MS SQL SERVER IP:1433' for user: 'VA_User'.
Exception: java.sql.SQLException: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Request if someone can help me on this , that, would be great help. Thanks in advance.

Could you please check the connection by changing the hostname to an IP address?

------------------------------
Revan g
------------------------------

Original Message:
Sent: Tue February 08, 2022 08:09 AM
From: Akashkumar Parmar
Subject: Getting Error while creating Datasource for Guardium (VA)Security Assessment

Hello Seniors, Hope all is well.

We are in phase of implementing Guardium Vulnerability Assessment in MS SQL DB Servers, we created the login and executed the SQL script given my IBM Support , so, in some of MS SQL Servers we were able to create the data source and were able to perform the VA tests,

however, in few MS SQL Servers we are getting an authentication error/exception while testing the data source for VA. As mentioned below. Note that, I have replaced exact IP add. with just IP character.

Please note that, the Login is available on Active Directory so in  MS SQL Instance it is authenticated by AD, also, we checked on MS SQL Instance authentication is set as "Mixed Mode". 

Could not connect to: 'jdbc:jtds:sqlserver://IP:1433' for user: 'MSSQL_MSSQLSERVER_1433__MS SQL SERVER(Security Assessment)'. DataSourceConnectException: Could not connect to: 'MSSQL_MSSQLSERVER_1433__MS SQL SERVER IP:1433' for user: 'VA_User'.
Exception: java.sql.SQLException: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Request if someone can help me on this , that, would be great help. Thanks in advance.

------------------------------
Sincerely,
Akashkumar Parmar
------------------------------

Unfortunately the 'The login is from an untrusted domain and cannot be used with Windows authentication.' is quite common and not detailed enough.  Within my enterprise this usually means the scan account is locked or the username/password is bad or you have not defined the domain with the scan account.  This is almost always a credential issue and not bad host/port/service name.

My suggestion is to re-enter your userid with domain, password and validate your connection property field.
Paste your password into an non-obfuscated field in the datasource to be sure you're pasting the right password with no spaces or carriage returns.

you can append domain to your userid either by:
annotating in the datsource username field:  yourdomain\userid
or annotating in datasource connection property field: domain=yourdomain
My enterprise uses the domain in the username field and we use the following in our connection property:
AuthenticationMethod=ntlm2java;encryptionMethod=SSL;validateServerCertificate=false

I don't recommend adding anything to the connection property field if it is currently blank for your datasources till you have established connectivity first.  Then you can add encryption to your connections.



------------------------------
Walter York
------------------------------

Original Message:
Sent: Tue February 08, 2022 08:09 AM
From: Akashkumar Parmar
Subject: Getting Error while creating Datasource for Guardium (VA)Security Assessment

Hello Seniors, Hope all is well.

We are in phase of implementing Guardium Vulnerability Assessment in MS SQL DB Servers, we created the login and executed the SQL script given my IBM Support , so, in some of MS SQL Servers we were able to create the data source and were able to perform the VA tests,

however, in few MS SQL Servers we are getting an authentication error/exception while testing the data source for VA. As mentioned below. Note that, I have replaced exact IP add. with just IP character.

Please note that, the Login is available on Active Directory so in  MS SQL Instance it is authenticated by AD, also, we checked on MS SQL Instance authentication is set as "Mixed Mode". 

Could not connect to: 'jdbc:jtds:sqlserver://IP:1433' for user: 'MSSQL_MSSQLSERVER_1433__MS SQL SERVER(Security Assessment)'. DataSourceConnectException: Could not connect to: 'MSSQL_MSSQLSERVER_1433__MS SQL SERVER IP:1433' for user: 'VA_User'.
Exception: java.sql.SQLException: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Request if someone can help me on this , that, would be great help. Thanks in advance.

------------------------------
Sincerely,
Akashkumar Parmar
------------------------------

Hello Walter/Revan , Hope all is well.

thank you for your responses. I was able to make a connection successfully after putting correct connection property fields. 

However, If you can  tell me if the Database Servers are in Clustered Env.  , then , only we need to create a Data Source for Main Node only right and perform VA on that Primary(Main) node only. 

There may be others who can respond with more experience on this question but his is my understanding how we handle this in my organization.

We generally have a policy of scanning everything.  That means for clusters and mirrors, we scan all nodes.  However depending on how the technology is configured, in addition to each node we may scan the cluster VIP as well depending on if the cluster allows us to access one, both or none of the nodes.  I know that can result in repetitive findings but it ensures complete coverage as my organization has compliance requirements to fulfill.

We also have a separate process to track connectivity and have a list of justifications for why something does not connect.  This allows us to ignore things like clusters/mirrors/standby/DR and other connectivity issues that are intended so our staff doesn't re-evaluate these every time there is a scan.

Additionally we parse the connectivity errors and assign them into 1 of 6 categories.
DB_Host DB_Instance DB_Error DB_StandbyorShutdown Account_Credential Account_Permission 
We parse the lengthy connection error and have a sub category of summarized errors that a non-technical person could understand.
This allows us to assign more junior staff to handle datasource connectivity issues without them having to really understand the problem.  They can also group category and sub-category to one ticket so they minimize repetition of effort.

These steps allow us to have a staff of 3 to manage all datasource MAC as well as datasource connectivity issues and they are not fully utilized in an organization with at least a few thousand datasources.

Hope this helps you.

------------------------------
Walter York
------------------------------

Original Message:
Sent: Thu February 10, 2022 02:13 AM
From: Akashkumar Parmar
Subject: Getting Error while creating Datasource for Guardium (VA)Security Assessment

Hello Walter/Revan , Hope all is well.

thank you for your responses. I was able to make a connection successfully after putting correct connection property fields. 

However, If you can  tell me if the Database Servers are in Clustered Env.  , then , only we need to create a Data Source for Main Node only right and perform VA on that Primary(Main) node only. 

------------------------------
Akashkumar Parmar

Original Message:
Sent: Wed February 09, 2022 11:31 AM
From: Walter York
Subject: Getting Error while creating Datasource for Guardium (VA)Security Assessment

Unfortunately the 'The login is from an untrusted domain and cannot be used with Windows authentication.' is quite common and not detailed enough.  Within my enterprise this usually means the scan account is locked or the username/password is bad or you have not defined the domain with the scan account.  This is almost always a credential issue and not bad host/port/service name.

My suggestion is to re-enter your userid with domain, password and validate your connection property field.
Paste your password into an non-obfuscated field in the datasource to be sure you're pasting the right password with no spaces or carriage returns.

you can append domain to your userid either by:
annotating in the datsource username field:  yourdomain\userid
or annotating in datasource connection property field: domain=yourdomain
My enterprise uses the domain in the username field and we use the following in our connection property:
AuthenticationMethod=ntlm2java;encryptionMethod=SSL;validateServerCertificate=false

I don't recommend adding anything to the connection property field if it is currently blank for your datasources till you have established connectivity first.  Then you can add encryption to your connections.



------------------------------
Walter York

Original Message:
Sent: Tue February 08, 2022 08:09 AM
From: Akashkumar Parmar
Subject: Getting Error while creating Datasource for Guardium (VA)Security Assessment

Hello Seniors, Hope all is well.

We are in phase of implementing Guardium Vulnerability Assessment in MS SQL DB Servers, we created the login and executed the SQL script given my IBM Support , so, in some of MS SQL Servers we were able to create the data source and were able to perform the VA tests,

however, in few MS SQL Servers we are getting an authentication error/exception while testing the data source for VA. As mentioned below. Note that, I have replaced exact IP add. with just IP character.

Please note that, the Login is available on Active Directory so in  MS SQL Instance it is authenticated by AD, also, we checked on MS SQL Instance authentication is set as "Mixed Mode". 

Could not connect to: 'jdbc:jtds:sqlserver://IP:1433' for user: 'MSSQL_MSSQLSERVER_1433__MS SQL SERVER(Security Assessment)'. DataSourceConnectException: Could not connect to: 'MSSQL_MSSQLSERVER_1433__MS SQL SERVER IP:1433' for user: 'VA_User'.
Exception: java.sql.SQLException: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Request if someone can help me on this , that, would be great help. Thanks in advance.

------------------------------
Sincerely,
Akashkumar Parmar
------------------------------