Hi there… I was wondering, I am adding datasources to Grafana, and I can see in the documentation that there is clearly no support for MSSQL authentication, and instead there is only support for local SQL Server accounts.
But to be thorough here are my two questions:
Just to be clear, we are using a non-windows version of Grafana, and it seems that Windows Authentication is only supported on Grafana instances running on Windows platforms.
From our research, it seems the hold ups are due to the following lack of support of NTLMv2 talked about here: https://github.com/grafana/grafana/issues/19795
which references this library:
https://github.com/denisenkom/go-mssqldb/issues/146
You may need kerberos installed on your linux server and running kinit to pull a token from AD which will then allow access to the MSSQL server.
Is kerberos for datasources supported? This question in this forum posts alludes to a no:
One of my questions still stands–is there planned NTLMv2 Support for Linux users?
Actually, it looks like the SQL driver just recently merged support for NTLMv2: https://github.com/denisenkom/go-mssqldb/commit/06a60b6afbbc676d19209e339b20f8b685e7da34
I suppose it would just be a matter of releasing that driver and creating a new Grafana version with that capability.
Has there been any update on this? Is it possible yet to login to SQL with Active Directory synced creds?
I haven’t checked the Grafana documentation but we have been using AD accounts to connect to SQLServer without issue for some time (at least grafana 9.x).
We are running containerized Grafana on Linux and there is no need to do anything with Kerberos at the container level or the host level.
Interesting. This is exactly what we would like to achieve. We have SQL Server on WIndows Servers and Grafana is running in OpenShift Pods (Kuberenetes). I would like to connect via an AD account to the SQL Server, but somehow I get following errors:
Does anyone have an idea what the issue could be? The domain seems to be the same…
This is really a mssql and ad and spn, ntlm vs kerberos related configuration which should involve your dba, unless you are that dba
What do you get when you run this on your target sql server
SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id=@@SPID
Thanks for your reply.
When i run the query the auth_scheme is KERBEROS. I do not have a lot of experience with kerberos. Do i have to configure something in Grafana?
I will talk with my dba and our openshift guy tomorrow and try to debug it with them.
interesting. you have selected SQL Server Authentication yet using a domain user and it works.
Yes exactely. This is how we would like to use it as well. we have predfiend AD Service User for grafana which can access certain databases. I have exactly the same setting as you. But as stated before i recieve following error:
mssql: login error: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
I will post again as soon as i have followed up with my dba.
Are you sure that you have correct username/password? MSSQL may show this silly error also when you have incorrect credentials based on my personal experience.
i changed the password to one without special character so i can rule out that 
i made a comment on this issue: MSSQL Server. Authenticating with domain users · Issue #19795 · grafana/grafana (github.com)
i think it is exactly the issue we have. We are not allowed to use NTLM by company policy so we have to rely on Kerberos… somehow Grafana or the driver is not used the correct domain.
Will keep you all updated.
Try this. Can the grafana service be run using that ad user in openshift?
Otherwise with kerberos, you cant have one service running as someone trying to log in as someone else, something called double hopping I guess or delegation. Here is a must read
For me its working like this as well. but as soon is i try to provision the datasource, i get “mssql: login error: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.”
