Description
We are seeing intermittent connection failures from a Node.js application using Tedious to connect to Azure SQL with Azure AD managed identity (Entra) authentication. The same environment and configuration worked for months, and then started failing on 2026‑03‑05 without any changes to our application code or Tedious version.
Azure support has performed an in‑depth investigation and their conclusion is that the issue is likely related to how Tedious constructs the TDS login/auth packet when using larger DB packet sizes, especially in combination with managed identity tokens.
When we reduce the DB packet size in the connection options, the problem disappears, which strongly suggests a client‑side framing issue.
Environment
- Driver: Tedious (version:
2.6.1) (tried with multiple higher versions)
- Runtime: Node.js (version:
22)
- Target: Azure SQL Database
- Authentication: Azure AD / Managed Identity (Entra ID)
- Deployment: Azure App Service / AKS (App Service in our case)
- DB packet size used:
- Problematic: 6556
- Mitigation / working: 512 or 1024
Symptoms
-
Connections to Azure SQL using Tedious + managed identity failing.
-
The failures started around 2026‑03‑05.
-
No changes were made to:
- Application code
- Tedious version
- DB packet size (it was 6556 for months)
-
When the failure occurs:
- Azure’s SQL gateway receives and ACKs all TCP segments.
- After the TDS packet is fully reassembled and decrypted, the SQL gateway sends a TCP RST.
- This indicates that the issue is not a network/MTU problem, but something in the TDS payload.
-
Using the same managed identity tokens with sqlcmd works reliably, so the tokens themselves are valid and accepted by Azure SQL.
-
After changing the DB packet size in the Tedious connection configuration from 6556
Description
We are seeing intermittent connection failures from a Node.js application using Tedious to connect to Azure SQL with Azure AD managed identity (Entra) authentication. The same environment and configuration worked for months, and then started failing on 2026‑03‑05 without any changes to our application code or Tedious version.
Azure support has performed an in‑depth investigation and their conclusion is that the issue is likely related to how Tedious constructs the TDS login/auth packet when using larger DB packet sizes, especially in combination with managed identity tokens.
When we reduce the DB packet size in the connection options, the problem disappears, which strongly suggests a client‑side framing issue.
Environment
2.6.1) (tried with multiple higher versions)22)Symptoms
Connections to Azure SQL using Tedious + managed identity failing.
The failures started around 2026‑03‑05.
No changes were made to:
When the failure occurs:
Using the same managed identity tokens with
sqlcmdworks reliably, so the tokens themselves are valid and accepted by Azure SQL.After changing the DB packet size in the Tedious connection configuration from 6556