Connect using a Certificate for Authentication

Question 1

Is there any way to connect to SQL Server 2022 using Client Certificate Authentication using an X.509 cert? From everything I can see it looks like this is not possible but where I am confused is it looks like there is an option in the ODBC 18 Driver here to specify a client cert and key? What scenario is this supported? Perhaps I am missing something in the documentation?

https://learn.microsoft.com/en-us/sql/connect/odbc/dsn-connection-string-attribute?view=sql-server-ver16#clientcertificate

Just for fun I did try creating a certificate in SQL Server and authenticating to it using the ODBC Driver in C# like so.

Make a Cert and map to a login

USE MASTER;
--create cert
CREATE CERTIFICATE coolCert
ENCRYPTION BY PASSWORD = ''
WITH SUBJECT = 'coolLogin',
EXPIRY_DATE = '12/31/2026';
--create login from cert
CREATE LOGIN coolLogin FROM CERTIFICATE coolCert;
go
--backup cert to server
BACKUP CERTIFICATE coolCert TO FILE = 'c:\certs\coolCert.pfx' 
 WITH FORMAT = 'PFX', PRIVATE KEY ( 
 ENCRYPTION BY PASSWORD = '',
 DECRYPTION BY PASSWORD = '',
 ALGORITHM = 'AES_256'); 
GO

Client Auth Test

 string connectionString = "" +
 "Driver={ODBC Driver 18 for SQL Server};" +
 "Server=SomeCoolServer;" +
 "Database=master;" +
 "TrustServerCertificate=yes;" + //tried both yes and no
 "Encrypt=yes;" +
 "ClientCertificate=file:C:\\certs\\coolCert.pfx,password:thePassword;"; 
 "ClientKey=file:C:\\certs\\sqlcert.key;";
 using (OdbcConnection connection = new OdbcConnection(connectionString))
 {
 try
 {
 connection.Open();
 Console.WriteLine("Connection successful!");
 string query = "select SUSER_SNAME()";
 OdbcCommand command = new OdbcCommand(query, connection);
 using (OdbcDataReader reader = command.ExecuteReader())
 {
 while (reader.Read())
 {
 Console.WriteLine(reader[0].ToString());
 }
 }
 }
 catch (Exception ex)
 {
 Console.WriteLine("Error: " + ex.Message);
 }
 }

It actually seems like it accepts the cert and I even tried using an incorrect password and it threw an exception that the password was wrong but even with all this I am getting the following error:

Error: ERROR [28000] [Microsoft][ODBC Driver 18 for SQL Server][SQL Server]Login failed for user ''

Question 2

From CREATE LOGIN's Remarks: "Logins created from certificates or asymmetric keys are used only for code signing. They can't be used to connect to SQL Server." SQL Server does not support connections via certificates.

Question 3

@ThomA OK yes I see that now. Thank you very much for pointing that out. Since that's the case it seems even more unlikely I can connect using Client Certs. I'm still very curious what the ClientCertificate attribute is for on the ODBC 18 Driver!

Question 4

ODBC isn't a SQL Server specification; there are (presumably) DBMS that do support such authentication methods (my "Google-Fu" implies Oracle does, for example).

Question 5

@ThomA Thank you for the reply again but yes, I understand that part about ODBC being a standard. However, the attribute in question is in the official documentation for the Microsoft ODBC Driver for SQL Server. If it's not supported by SQL Server why in the world would Microsoft have it in there?

Question 6

AFAIK client certificate authentication only works for loopback connections (i.e.: those running external R and Python scripts launched from within SQL Server itself). X.509 certificates have EKU (Extended Key Usage) attributes that define their usages - Client Authentication (1.3.6.1.5.5.7.3.2), Code Signing (1.3.6.1.5.5.7.3.3) and Server Authentication (1.3.6.1.5.5.7.3.1) - so you can't use a code signing certificate for client authentication purposes.

CollectivesTM on Stack Overflow

Connect using a Certificate for Authentication

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions