Fix proxy SPNego authentication to respect krb5.conf canonicalization settings. (#541)

renaudhartert-db · web-flow · commit 586a83217ac1 · 2025-11-03T15:17:11.000Z
This PR changes `SPNegoSchemeFactory` constructor in `ProxyUtils.java`
to use `useCanonicalHostname=false`, deferring hostname canonicalization
to the Kerberos library based on `krb5.conf` configuration instead of
forcing it at the SDK level.

The previous implementation forced hostname canonicalization for proxy
Kerberos authentication, overriding user-configured `krb5.`conf settings
(rdns, dns_canonicalize_hostname). This caused authentication failures
in environments with specific Kerberos configurations.

Client libraries should respect system Kerberos configuration rather
than override it. This fix makes the SDK compliant with standard
Kerberos behavior.

**Migration note:** Users whose non-compliant Kerberos setups were
accidentally working due to forced canonicalization may need to verify
their `krb5.conf` settings are correctly configured.
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -6,6 +6,8 @@
 
 ### Bug Fixes
 
+* Fix proxy SPNego authentication to respect krb5.conf canonicalization settings instead of forcing hostname canonicalization. The SDK now defers to the Kerberos library configuration for hostname resolution. **Migration note**: If you experience new Kerberos authentication failures with proxy servers after upgrading, verify that your `krb5.conf` canonicalization settings (`rdns` and `dns_canonicalize_hostname`) are correctly configured for your environment.
+
 ### Security Vulnerabilities
 
 ### Documentation
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java
@@ -128,7 +128,10 @@ public Principal getUserPrincipal() {
         .setDefaultCredentialsProvider(credsProvider)
         .setDefaultAuthSchemeRegistry(
             RegistryBuilder.<AuthSchemeProvider>create()
-                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true))
+                // Use SPNegoSchemeFactory with useCanonicalHostname=false to defer hostname
+                // canonicalization to the Kerberos library based on krb5.conf settings
+                // (rdns, dns_canonicalize_hostname) rather than forcing canonicalization.
+                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, false))
                 .build());
   }
 
