Authentication failures
Client authentication failures will be communicated to the caller by returning
the 401 response. A 401 response may also come from an expired Ticket-Granting
Ticket.
Channel binding
Since v0.12.0 this library automatically attempts to bind the
authentication token with the channel binding data when connecting over a TLS
connection. Channel Binding is also known as Extended Protection for
Authentication (EPA)
Community help and support
We leverage Stack Overflow to work with the community on supporting Azure Active Directory and its SDKs, including this one!
We highly recommend you ask your questions on Stack Overflow (we’re all on there!)
Also browser existing issues to see if someone has had your question before.
Connecting to ms sql server with windows authentication using python?
How do I connect MS SQL Server using Windows Authentication, with the pyodbc library?
I can connect via MS Access and SQL Server Management Studio, but cannot get a working connection ODBC string for Python.
Here’s what I’ve tried (also without 'Trusted_Connection=yes'
):
pyodbc.connect('Trusted_Connection=yes',
driver='{SQL Server}', server='[system_name]',
database='[databasename]')
pyodbc.connect('Trusted_Connection=yes', uid='me',
driver='{SQL Server}', server='localhost',
database='[databasename]')
pyodbc.connect('Trusted_Connection=yes',
driver='{SQL Server}', server='localhost',
uid='me', pwd='[windows_pass]', database='[database_name]')
pyodbc.connect('Trusted_Connection=yes',
driver='{SQL Server}', server='localhost',
database='[server_name]\[database_name]')
pyodbc.connect('Trusted_Connection=yes',
driver='{SQL Server}', server='localhost',
database='[server_name][database_name]')
pyodbc.connect('Trusted_Connection=yes',
driver='{SQL Server}',
database='[server_name][database_name]')
Contributing
All code is licensed under the MIT license and we triage actively on GitHub. We enthusiastically welcome contributions and feedback. Please read the contributing guide before starting.
Disabled
While we don’t recommend it, if you’d prefer to never attempt mutual
authentication, you can do that as well:
Hostname override
If communicating with a host whose DNS name doesn’t match its
kerberos hostname (eg, behind a content switch or load balancer),
the hostname used for the Kerberos GSS exchange can be overridden by
setting the hostname_override arg:
Installation
You can find MSAL Python on Pypi.
- If you haven’t already, install and/or upgrade the pip
of your Python environment to a recent version. We tested with pip 18.1. - As usual, just run
pip install msal
.
Logging
This library makes extensive use of Python’s logging facilities.
Log messages are logged to the requests_kerberos and
requests_kerberos.kerberos_ named loggers.
If you are having difficulty we suggest you configure logging. Issues with the
underlying kerberos libraries will be made apparent. Additionally, copious debug
information is made available which may assist in troubleshooting if you
increase your log level all the way up to debug.
Migrating from adal
If your application is using ADAL Python, we recommend you to update to use MSAL Python. No new feature work will be done in ADAL Python.
See the ADAL to MSAL migration guide.
Ntlm-auth
Almost all users should use
requests-ntlm instead of
this library. The library requests-ntlm is a plugin that uses this
library under the hood and provides an easier function to use and
understand.
If you are set on using ntlm-auth directly to compute the message
structures this is a very basic outline of how it can be done. The code
examples are psuedocode and should be adapted for your purpose.
When initliasing the ntlm context you will have to supply the NTLM
compatibility level. The key difference between the different auth
levels are the ntlm_compatibility variable supplied when initialising
Ntlm. An overview of what each sets is below; * 0 – LM Auth and
NTLMv1 Auth * 1 – LM Auth and NTLMv1 Auth with Extended Session
Security (NTLM2) * 2 – NTLMv1 Auth with Extended Session Security
(NTLM2) * 3 – NTLMv2 Auth (Default Choice) * 4 – NTLMv2 Auth
* 5 – NTLMv2 Auth
Level 3 to 5 are the same from a client perspective but differ with how
the server handles the auth which is outside this project’s scope. This
setting is set independently on that server so choosing 3, 4 or 5 when
calling Ntlm will make no difference at all. See
LmCompatibilityLevel
for more details.
Extended Session Security is a security feature designed to increase the
security of LM and NTLMv1 auth. It is no substitution for NTLMv2 but is
better than nothing and should be used if possible when you need NTLMv1
compatibility.
The variables required are outlined below; * username – The
username to authenticate with, should not have the domain prefix,
i.e. USER not DOMAINUSER * password – The password of the user to
authenticate with * domain – The domain of the user, i.e. DOMAIN.
Can be blank if not in a domain environment * workstation – The
workstation you are running on. Can be blank if you do not wish to send
this * cbt_data – (NTLMv2 only) The
gss_channel_bindings.GssChannelBindingsStruct used to bind with the
auth response. Can be None if no binding needs to occur
Roadmap
You can follow the latest updates and plans for MSAL Python in the Roadmap published on our Wiki.
Samples and documentation
MSAL Python supports multiple application types and authentication scenarios.
The generic documents on
Auth Scenarios
and
Auth protocols
are recommended reading.
We provide a full suite of sample applications and documentation to help you get started with learning the Microsoft identity platform.
Scenarios supported
Click on the following thumbnail to visit a large map with clickable links to proper samples.
Setup
In order to use this library, there must already be a Kerberos Ticket-Granting
Ticket(TGT) cached in a Kerberos credential cache. Whether a TGT is available
can be easily determined by running the klist command. If no TGT is
available, then it first must be obtained by running the kinit command, or
pointing the $KRB5CCNAME to a credential cache with a valid TGT.
Submit feedback
We’d like your thoughts on this library. Please complete this short survey.
Versions
This library follows Semantic Versioning.
You can find the changes for each version under
Releases.