Skip to content

Avoid unintended SPN generation for non-integrated authentication on native SNI path #3929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
apoorvdeshmukh wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Avoid unintended SPN generation for non-integrated authentication on native SNI path #3929

apoorvdeshmukh wants to merge 5 commits into from
+74 −15

Conversation

@apoorvdeshmukh
Copy link
Contributor

@apoorvdeshmukh apoorvdeshmukh commented Feb 3, 2026
edited
Loading

Description

Potentially fixes #3523.
This PR fixes a connection performance regression introduced by PR #2790, where SPN generation could be triggered for non-integrated authentication modes such as SQL authentication on the native SNI path.
SPN (Service Principal Name) generation is only relevant for Integrated Security (SSPI/Kerberos). After PR #2790, empty serverSPN values could reach native SNI even when Integrated Security was not in use, causing unnecessary SPN composition and potential DNS lookups.
This change ensures that SPN generation is only triggered when authentication mode is integrated security(SSPI/Kerberos.

Issues

#3523

Testing

Added unit test for the SPN normalization logic.
Used the repro from #3523.
The regression was reproducible under a specific network topology:
Client machine connected directly to the main router
SQL Server machine connected via a Wi-Fi extender (which itself connects to the main router)
In this setup, SqlConnection.Open() using SQL authentication and an IP-based data source (for example, tcp:,1433) could take ~5 seconds.

Without the fix

Data Source=tcp:192.168.1.9,1433;Initial Catalog=Demo2;User ID=hidden;Password=hidden;Encrypt=True;Application Name="Connection test"
Connection successful!
Time taken to connect: 5178 ms

With the fix

Data Source=tcp:192.168.1.9,1433;Initial Catalog=Demo2;User ID=hidden;Password=hidden;Encrypt=True;Application Name="Connection test"
Connection successful!
Time taken to connect: 198 ms

@apoorvdeshmukh apoorvdeshmukh requested a review from a team as a code owner February 3, 2026 14:12
@apoorvdeshmukh apoorvdeshmukh added this to the 7.0.0-preview4 milestone Feb 3, 2026
@paulmedynski
Copy link
Contributor

paulmedynski commented Feb 3, 2026

@copilot please review.

Copy link
Contributor

Copilot AI commented Feb 3, 2026

@paulmedynski I've opened a new pull request, #3931, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Feb 3, 2026
Closed
@apoorvdeshmukh apoorvdeshmukh mentioned this pull request Feb 3, 2026
Open
mdaigle
mdaigle requested changes Feb 3, 2026
View reviewed changes
Copy link
Contributor

@mdaigle mdaigle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work figuring out this issue!

Copilot AI review requested due to automatic review settings February 4, 2026 11:05
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a performance regression introduced in PR #2790 where SPN (Service Principal Name) generation was inadvertently triggered for non-integrated authentication modes (e.g., SQL authentication) on the native SNI path. The fix ensures that SPN generation only occurs when using integrated security (SSPI/Kerberos), preventing unnecessary DNS lookups and connection delays.

Changes:

  • Extracted SPN normalization logic into a new NormalizeServerSpn method that returns string.Empty for integrated security (to trigger generation) or null for SQL auth (to prevent generation)
  • Updated CreatePhysicalSNIHandle to conditionally set resolvedSpn only when a valid SPN exists
  • Added comprehensive unit tests to verify the normalization logic

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.windows.cs Introduces NormalizeServerSpn method to prevent unintended SPN generation for non-integrated auth and updates SPN handling in CreatePhysicalSNIHandle
src/Microsoft.Data.SqlClient/tests/UnitTests/Microsoft/Data/SqlClient/TdsParserStateObjectNativeTests.cs Adds unit tests covering all SPN normalization scenarios for both integrated and SQL authentication

Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

@codecov
Copy link

codecov bot commented Feb 4, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.54%. Comparing base (a0357b2) to head (fe855a7).

❗ There is a different number of reports uploaded between BASE (a0357b2) and HEAD (fe855a7). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (a0357b2) HEAD (fe855a7)
addons 1 0
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #3929       +/-   ##
===========================================
- Coverage   90.82%   67.54%   -23.29%     
===========================================
  Files           6      263      +257     
  Lines         316    66205    +65889     
===========================================
+ Hits          287    44715    +44428     
- Misses         29    21490    +21461
Flag Coverage Δ
addons ?
netcore 67.51% <88.88%> (?)
netfx 66.51% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mdaigle mdaigle Awaiting requested review from mdaigle

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

7.0.0-preview4

Development

Successfully merging this pull request may close these issues.

6.1.0: Taking a long time to connect

4 participants

@apoorvdeshmukh @paulmedynski @mdaigle