DPA 2023.2.0.501 - Failed to load MSAL4J Java library for performing ActiveDirectoryPassword authentication

TLDR: In DPA 2023.2.0.501, connections to instances using AAD accounts appear to no longer work. Change your connections to use local SQL Server accounts instead before you upgrade. Issue might have been introduced by the MS JDBC driver update to version 12.2, in version 2023.2.0.501.

Hi,

After upgrading to DPA 2023.2.0.501, a number of my Managed Instance connections stopped working (DPA was unable to establish a connect to them). When checking the DPA logs, I found this error. 

Date: 5/3/23, 7:30:03 AM
DB: [Managed Instance Name]
com.microsoft.sqlserver.jdbc.SQLServerException: Failed to load MSAL4J Java library for performing ActiveDirectoryPassword authentication.
at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:5642)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:5618)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:5463)
at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:311)
at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:131)
at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:42)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6490)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:5068)
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:5002)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7685)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:4048)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3487)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3077)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2919)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1787)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1229)
at com.confio.ignite.common.security.ssl.driver.SslConnectionDriverImpl.lambda$connect$0(SourceFile:40)
at java.base/jdk.internal.reflect.Native

This issue was only effecting Managed Instances, where DPA was using an AAD account to connect. Local SQL Server accounts are working fine. To work around this problem without losing any historic data, you must do the following. 

  1. Create a local SQL Server account for DPA
  2. In DPA, go to Options > Update Connections > Select the instance > Click Next
  3. Change the Monitoring User and Password to the local SQL Server account you created
  4. Set the JDBC URL Properties value to authentication=NotSpecified;encrypt=true;trustServerCertificate=true
  5. Click Next and complete the update

In the release notes for the 2023.2.0.501 release, I noticed this.

Microsoft JDBC driver version 12.2
DPA has upgraded its MS JDBC driver to version 12.2 to improve connections and access security to Microsoft SQL Server 2022 instances.

Could be a coincidence, but it seems like this change might have introduced the above problem. 

Hopefully this post can help someone else who has encountered this problem. 

  • Hi - The service release DPA 2023.2.1.504, made available a few days ago, resolves the problem of connection failures to Azure SQL DB and Azure SQL Managed Instances (ASMI) instances leveraging Azure Active Directory (AAD) for authentication.

    Your supposition of the new MS 12.2 JDBC driver was on target, although indirectly. Apparently when the 12.2 JDBC driver identifies that Azure AD is involved, it initiates a new security handshake than in the past. This handshake required a few additional, new libraries to process.

    I'm surmising this handshake was required for the 12.2 version of the driver to be able to support standard, on-premises SQL Server 2022 instances to leverage Azure AD authentication for the first time. However, it changed the workflow for Azure SQL DB and ASMI cloud instances as well.  The root cause of the defect was that we didn't initially include those additional libraries in the original DPA installation image. Now that those libraries are in the DPA 2023.2.1.504 install images, you should now be able to leverage Azure AD authentication again.