feat(pam): add NTLM and Kerberos auth support for MSSQL#6638
Conversation
MSSQL PAM accounts now support Windows Authentication (NTLM) in addition to SQL Server Authentication. The auth method is selected per-account via a discriminated union on the credentials schema, following the same pattern as SSH (password/publickey/certificate). Backend: new MsSqlAuthMethod enum, discriminated union on account credentials, NTLM branch in Tedious/Knex connection validation, MSSQL added to session credentials response union. Frontend: auth method selector on the MSSQL account form with conditional domain field for NTLM.
…hema Old MSSQL accounts without authMethod are handled via .default() in account/sanitized schemas (scoped by parentType) and a service-level backfill in getSessionCredentials. Session credentials schema uses a strict variant without .default() to avoid cross-resource false matches in the flat z.union.
MSSQL PAM accounts now support Kerberos (Windows Authentication via KDC) alongside SQL auth and NTLM. Uses gokrb5/v8 for ticket acquisition and SPNEGO token generation.
…-auth-support-for-mssql-in-pam
…rt-for-mssql-in-pam' into saif/pam-227-kerberos-auth-support-for-ms-sql
kdcAddress was missing from the sanitized credentials schema, causing it to disappear when editing a Kerberos account. Also updated docs to mention Kerberos auth and port 88 gateway requirement.
Regex used + (requires at least one char) which rejected empty strings even though the field is optional. Changed to * and transform empty string to undefined.
|
💬 Discussion in Slack: #pr-review-infisical-6638-feat-pam-add-kerberos-auth-support-for-mssql Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 9387833 | Triggered | Generic Password | 4888b10 | backend-go/docker-compose.test.yml | View secret |
| 29105343 | Triggered | Generic High Entropy Secret | 4888b10 | backend-go/internal/server/gen/http/secrets/client/encode_decode.go | View secret |
| 28944329 | Triggered | PostHog Project API Key | 4888b10 | backend-go/internal/config/config.go | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
| Filename | Overview |
|---|---|
| backend/src/ee/services/pam-resource/mssql/mssql-resource-schemas.ts | Defines discriminated-union schemas for three MSSQL auth methods; spn field lacks the same injection-prevention regex applied to realm/kdcAddress, and kdcAddress allows private IPs without SSRF guards. |
| backend/src/ee/services/pam-resource/shared/sql/sql-resource-factory.ts | Adds NTLM auth path to the Knex connection config and a Kerberos early-return that skips credential validation; runtime logic is correct but the no-op Kerberos validation path should be documented to users. |
| backend/src/ee/services/pam-account/pam-account-service.ts | Adds a backward-compat migration shim that injects authMethod: sql-login into old MSSQL account credentials that predate the authMethod field; safe and well-scoped. |
| backend/src/ee/routes/v1/pam-session-router.ts | Adds MsSQLSessionCredentialsSchema to the union and reorders schemas so more-specific variants are tested before the simpler sql-login fallback; ordering comment explains the Zod union matching rationale. |
| backend/src/ee/services/pam-resource/mssql/mssql-resource-enums.ts | New enum file defining the three MSSQL auth method string values; straightforward and correct. |
| frontend/src/hooks/api/pam/types/mssql-resource.ts | Mirrors the backend auth-method union in frontend types; replaces the single TBaseSqlCredentials with a proper discriminated union matching the three auth methods. |
| frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/MsSQLAccountForm.tsx | New MsSQLAccountFields component with conditional field rendering per auth method; password sentinel handling is preserved correctly for the update path. |
| docs/documentation/platform/pam/getting-started/resources/mssql.mdx | Documentation updated to describe all three auth methods and new credential fields; accurate and well-structured. |
Reviews (1): Last reviewed commit: "fix(pam): allow empty kdcAddress for Ker..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![veria-ai[bot]](https://avatars.githubusercontent.com/in/1723776?s=60&v=4){kind=small}
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 2 · PR risk: 0/10 |
saifsmailbox98
changed the title
2 participants
Context
Adds Windows Authentication (NTLM and Kerberos) to MSSQL PAM accounts, alongside the existing SQL Server Authentication. Auth method is selected per-account as a discriminated union on credentials — same pattern as SSH (Password/PublicKey/Certificate).
NTLM — challenge-response auth between gateway and SQL Server. Users provide a domain (e.g.,
CORP). Usesgo-ntlmsspfor the handshake. Two-party, no infrastructure beyond the SQL Server being domain-joined.Kerberos — ticket-based auth via a KDC. Users provide realm, SPN, and optionally a KDC address (falls back to DNS SRV discovery when empty). Uses
gokrb5/v8for ticket acquisition and SPNEGO wrapping. Gateway contacts the KDC on port 88 to obtain service tickets.Both methods use the same TDS SSPI field in LOGIN7 — the gateway builds the auth token and injects it on the server leg. The client-to-gateway leg is unchanged (dummy SQL auth).
Credential validation uses Tedious's native NTLM support for NTLM accounts. For Kerberos, it falls back to connectivity-only checks (Tedious doesn't support Kerberos) — same approach as SSH Certificate auth. Backend schemas include input validation on realm, KDC address, and SPN to prevent injection into the krb5.conf template.
Companion CLI PR: Infisical/cli#245
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).