ADO connection string styling in the database configuration is causing a login problem.

Avatar
Anuja Saini
  • Updated

Introduction:

The issue arises when the database connection URL is formatted using ADO-style connection strings, and the password contains special characters. ADO-style formatting handles special characters in a way that causes authentication to fail, especially with certain characters like *, ?, or !. This problem occurs because special characters in the password field are not correctly escaped or interpreted within the ADO connection string, leading to login errors.

 

Problem:

Unable to log in to the database when the connection URL follows ADO styling and the password contains special characters (e.g., *, ?, !). The login fails with the following error: 

error creating database object: error verifying connection: mssql: login error: Login failed for user 'vaultuser'.

 

Steps to Reproduce:

  1. Try to establish a connection using the following ADO-style connection string format as shown below including a password that contains special characters:

    $ vault write database/config/mssql \
        plugin_name="mssql-database-plugin" \
        connection_url='server=localhost;port=1433;user id={{username}};password={{password}};database=mssql;TrustServerCertificate=true;' \
        username="vaultuser" \
        password='your#StrongPassword%' \

  2. Note that the error message "Login failed for user 'vaultuser'" appears when the login attempt fails.

  3. Now try the connection using same details  
    $ vault write database/config/mysql \
       plugin_name="mysql-database-plugin" \
       allowed_roles="readonly" \
       connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
       username="vaultuser" \
       password='your#StrongPassword%'

 

Solutions/Workaround:

  1. If you must use ADO-style formatting and your password contains special characters, you can resolve the issue by including the disable_escaping="true" option when configuring the connection via the CLI or API. This option prevents Vault from escaping special characters in the password field.

    Example CLI command:

    $ vault write database/config/mssql \
        plugin_name="mssql-database-plugin" \
        connection_url='server=localhost;port=1433;user id={{username}};password={{password}};database=mssql;' \
        username="vaultuser" \
        password='your#StrongPassword%' \
        disable_escaping="true"

  2. The Vault UI does not support the disable_escaping parameter, so if you are attempting to configure the connection via the UI.In this case, use the CLI or API for configuration.

 

Conclusion:

To resolve login issues with ADO-style connection strings and special characters, either switch to a simpler connection format or use the disable_escaping="true" option in the CLI/API. The Vault UI does not support this configuration.

References:

disable-escaping

disable-character-escaping

sample-cli-request-with-ado-style-connection-string

 

 

Articles in this section

See more

Related articles