Linux: "Unable to open default system browser" using ActiveDirectoryInteractive authentication

[tjlee]

Driver version

9.2.0

Client Operating System

Linux (5.8.0-50-generic, amd64)

JAVA/JVM version

JRE: 11.0.10+8-b1304.1 (JetBrains s.r.o.)
JVM: 11.0.10+8-b1304.1 (Dynamic Code Evolution 64-Bit Server VM)

Problem description

When user tries to authenticate using ActiveDirectoryInteractive in DataGrip, IDE immediately jumps back without opening a browser window and provides the message "The specified database user/password combination is rejected: Failed to authenticate the user alowed in Active Directory (Authentication=ActiveDirectoryInteractive)."

Current implementation relies on java.awt.Desktop#browse that does not work at least on some linux distributions without required gtk, gvfs libraries.
MSAL4J provides an option to override this behaviour https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/01bb6793bd77c0793a16a4c6091be60b17b54764/src/main/java/com/microsoft/aad/msal4j/SystemBrowserOptions.java#L56
JDBC driver does not expose that functionality
So the problem is with JDBC driver

It looks like OS specific since it works on other Linux machines in our team.

JDBC trace logs

<record>
  <date>2021-05-07T14:21:11.424336Z</date>
  <millis>1620397271424</millis>
  <nanos>336000</nanos>
  <sequence>146</sequence>
  <logger>com.microsoft.sqlserver.jdbc.internals.SQLServerConnection</logger>
  <level>FINE</level>
  <class>com.microsoft.sqlserver.jdbc.SQLServerConnection</class>
  <method>processFedAuthInfo</method>
  <thread>18</thread>
  <message>ConnectionID:1 ClientConnectionId: f5b9ae9a-f0cc-45c8-8ee5-c7ae6a19ffba FedAuthInfoData: https://login.windows.net/644ABBED-2AFC-4AF3-8BEA-ED3FB105FE8C</message>
</record>
<record>
  <date>2021-05-07T14:21:12.276153Z</date>
  <millis>1620397272276</millis>
  <nanos>153000</nanos>
  <sequence>147</sequence>
  <logger>com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils</logger>
  <level>FINE</level>
  <class>com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils</class>
  <method>getSqlFedAuthTokenInteractive</method>
  <thread>18</thread>
  <message>java.util.logging.Logger@5f091686Interactive authentication</message>
</record>
<record>
  <date>2021-05-07T14:21:13.030106Z</date>
  <millis>1620397273030</millis>
  <nanos>106000</nanos>
  <sequence>148</sequence>
  <logger>com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils</logger>
  <level>FINE</level>
  <class>com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils</class>
  <method>getCorrectedException</method>
  <thread>18</thread>
  <message>java.util.logging.Logger@5f091686 MSAL exception:com.microsoft.aad.msal4j.MsalClientException: Unable to open default system browser</message>
</record>
<record>
  <date>2021-05-07T14:21:13.032500Z</date>
  <millis>1620397273032</millis>
  <nanos>500000</nanos>
  <sequence>149</sequence>
  <logger>com.microsoft.sqlserver.jdbc.internals.SQLServerException</logger>
  <level>FINE</level>
  <class>com.microsoft.sqlserver.jdbc.SQLServerException</class>
  <method>logException</method>
  <thread>18</thread>
  <message>*** SQLException: com.microsoft.sqlserver.jdbc.SQLServerException: Failed to authenticate the user alowe in Active Directory (Authentication=ActiveDirectoryInteractive). Failed to authenticate the user alowe in Active Directory (Authentication=ActiveDirectoryInteractive).</message>
</record>
<record>
  <date>2021-05-07T14:21:13.034211Z</date>
  <millis>1620397273034</millis>
  <nanos>211000</nanos>
  <sequence>150</sequence>
  <logger>com.microsoft.sqlserver.jdbc.internals.SQLServerException</logger>
  <level>FINE</level>
  <class>com.microsoft.sqlserver.jdbc.SQLServerException</class>
  <method>logException</method>
  <thread>18</thread>
  <message>com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:227)com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getSqlFedAuthTokenInteractive(SQLServerMSAL4JUtils.java:183)com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:4632)com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:4497)com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:4460)com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:289)com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:125)com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:37)com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:5332)com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:4068)com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:85)com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:4006)com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7418)com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:3274)com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2768)com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2418)com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2265)com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1291)com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:881)com.intellij.database.remote.jdbc.helpers.JdbcHelperImpl.connect(JdbcHelperImpl.java:617)com.intellij.database.remote.jdbc.impl.RemoteDriverImpl.connect(RemoteDriverImpl.java:43)java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)java.base/java.lang.reflect.Method.invoke(Method.java:566)java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:359)java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)java.base/java.security.AccessController.doPrivileged(Native Method)java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:562)java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:796)java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:677)java.base/java.security.AccessController.doPrivileged(Native Method)java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:676)java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)java.base/java.lang.Thread.run(Thread.java:834)
 
caused by java.util.concurrent.ExecutionException: java.lang.RuntimeException: Unable to open default system browser
com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:225)com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getSqlFedAuthTokenInteractive(SQLServerMSAL4JUtils.java:183)com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:4632)com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:4497)com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:4460)com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:289)com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:125)com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:37)com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:5332)com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:4068)com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:85)com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:4006)com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7418)com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:3274)com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2768)com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2418)com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2265)com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1291)com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:881)com.intellij.database.remote.jdbc.helpers.JdbcHelperImpl.connect(JdbcHelperImpl.java:617)com.intellij.database.remote.jdbc.impl.RemoteDriverImpl.connect(RemoteDriverImpl.java:43)java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)java.base/java.lang.reflect.Method.invoke(Method.java:566)java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:359)java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)java.base/java.security.AccessController.doPrivileged(Native Method)java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:562)java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:796)java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:677)java.base/java.security.AccessController.doPrivileged(Native Method)java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:676)java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)java.base/java.lang.Thread.run(Thread.java:834)</message>
</record>

Based on #1586

[lilgreenbird]

hi @tjlee

Currently the driver does not support custom browsers this will be an enhancement that we will consider when we plan for the next semester.

[mondal2pirad]

We are facing the similar issue when trying to connect from Linux machine

com.microsoft.aad.msal4j.MsalClientException: Unable to open default system browser
	at com.microsoft.aad.msal4j.AcquireTokenByInteractiveFlowSupplier.openDefaultSystemBrowser(AcquireTokenByInteractiveFlowSupplier.java:116)
	at com.microsoft.aad.msal4j.AcquireTokenByInteractiveFlowSupplier.getAuthorizationResult(AcquireTokenByInteractiveFlowSupplier.java:61)
	at com.microsoft.aad.msal4j.AcquireTokenByInteractiveFlowSupplier.execute(AcquireTokenByInteractiveFlowSupplier.java:37)
	at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:59)
	at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:17)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

Our OS Details

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian

[luedi]

I have a similar issue on Windows 10. I already filed an issue in the MSAL4J repo:

Could not authenticate via Azure Directory Interactive with MFA

There i have attached more information and a trace log of a login attempt.

Driver Version: 9.4.0 / msal4j 1.11.2
Java Runtime version: 11.0.14.1+1-b2043.25 amd64
VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o.
Operating System Windows 10 Pro 21H2 Build 19044.1645

[tkyc]

Hi @luedi, going over the details it's strange that it's failing on windows for you as this issue happens on specific linux distros without the libraries mentioned above. I can suggest the following:

1. Could you double check your that your windows system has a default browser set? Within the driver, we redirect to localhost to use MSAL's default browser option for interactive auth

2. Could try again with a driver with a version >= 10.1.0? I recall we recently fixed some interactive authentication timeout issues

[luedi]

I just tried to connect with the latest driver (10.2.0) with the same result.

[tkyc]

Hi @luedi, could try and connect using this sample MSAL code? This is similar to what the driver does. https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/InteractiveFlow.java

[lilgreenbird]

hi @luedi

your driver log shows that you had timed out after 2 minutes. We do allow more time for MFA but sometimes authentication could be quite slow. Could you please try again with a longer loginTimeout? e.g. loginTimeout=120. Please see Setting the connection properties for more info on how to set connection properties for the driver.

[luedi]

Hi @tkyc: I downloaded the sample, but the Dependency TokenCacheAspect could not be resolved. Also I'm not familiar with using the driver directly, so please could you tell me what i have to use for CLIENT_ID, AUTHORITY and SCOPE ?
I have used the demo program https://github.com/AzureAD/microsoft-authentication-library-for-java/files/8533631/Test-MS-ActiveDirectoryInteractive-master.zip as blueprint and replaced the main class. The pom.xml defines following dependencies:

<dependencies>
    <dependency>
        <groupId>com.microsoft.sqlserver</groupId>
        <artifactId>mssql-jdbc</artifactId>
        <version>10.2.0.jre11</version>
    </dependency>
    <dependency>
        <groupId>com.microsoft.azure</groupId>
        <artifactId>msal4j</artifactId>
        <version>1.11.3</version>
    </dependency>
</dependencies>

Even setting login timeout to 120 seconds leads to the same result.

Edit: I just setup a complete new Azure SQL Database in a different tenant to see if there is a configuration issue on Azure side, but unfortunately i get the same result as before...

[tkyc]

Hi @luedi, apologies for the confusion. There's no need for you to involve the driver for the sample MSAL code. Using the sample MSAL code, we'd like to see if you're able to make a successful token request, since that's similar to what the driver does. I believe the following steps should get you going:

1. You can remove the references to TokenCacheAspect
2. Your AUTHORITY should be https://login.windows.net/DB8E2F82-8A37-4C09-B7DE-ED06547B5A20 (I see this in the logs you posted, this is where we want to request the token from)
3. For CLIENT_ID, you'll need to register an application on Azure or use an existing one. (On Azure search for "App Registration")
4. For SCOPE, those are permissions to the application you'll be registering on Azure. On the app page on Azure for your registered app, that's found by clicking on "Expose an API" on the side. (This shouldn't be necessary, you can leave the SCOPE empty as well)

[tkyc]

Hi @luedi, just an update. I was experimenting with the interactive login and managed to repro the issue you're facing after changing my systems language level to German from English (I was following your issue in the other thread). At the moment, it seems to me it's a driver problem, as I was able to get interactive auth working solely with just Msal4j. However, with Msal4j + the driver, I faced the same error you encountered.

I've attached the repro code, if you or anyone else is interested.
standalone.zip

[lilgreenbird]

this is related to #1839 and is fixed by AzureAD/microsoft-authentication-library-for-java#511