Cannot authenticate using Kerberos in MacOS

[ventouris]

• MSSQL Extension Version: 1.29.1
• VSCode Version: 1.98.0
• OS Version: MacOS 15.2

Cannot use Windows Authentication to connect to an SQL server in VS Code. Kerberos with exact the same conf file was working on the Azure Data Studio. Now I get the following error:

Cannot authenticate using Kerberos. Ensure Kerberos has been initialized on the client with 'kinit' and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication. ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - An unsupported mechanism was requested (unknown mech-code 0 for mech unknown). at System.Net.Security.NegotiateStreamPal.GssInitSecurityContext(SafeGssContextHandle& context, SafeGssCredHandle credential, Boolean isNtlm, SafeGssNameHandle targetName, GssFlags inFlags, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags, Int32& isNtlmUsed) at System.Net.Security.NegotiateStreamPal.EstablishSecurityContext(SafeFreeNegoCredentials credential, SafeDeleteContext& context, String targetName, ContextFlagsPal inFlags, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, ContextFlagsPal& outFlags) at Microsoft.Data.SqlClient.SNI.SNIProxy.GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, Byte[] receivedBuff, Byte[]& sendBuff, Byte[][] serverName) at Microsoft.Data.SqlClient.SNI.TdsParserStateObjectManaged.GenerateSspiClientContext(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength, Byte[][] _sniSpnBuffer) at Microsoft.Data.SqlClient.TdsParser.SNISSPIData(Byte[] receivedBuff, UInt32 receivedLength, Byte[]& sendBuff, UInt32& sendLength)

Steps to Reproduce:

1. Followed the steps here https://github.com/microsoft/vscode-mssql/blob/main/extensions/mssql/KERBEROS_HELP.md
2. Ran kinit
3. Verify that there is a ticket created with klist on the specific domain
4. Try to create a new connection with the server name and the Windows Authentication selected

[Benjin]

I found this issue thread recently; seems they have some ideas of things to try: #1774

[arbonaa]

Found this issue recently, it seems to be added to the December 2025 release but here is a workaround in the meantime. It seems the issue is vscode/mssql extension is not finding the ticket cache so if you register a ticket on your system/macos, vscode doesnt seem to know its there (ADS was similar, you had to kinit inside its sandbox), to get it to work you have to create a file cache, then pass in the env variable KRB5CCNAME when opening vscode so it actually knows where to look :

KRB5CCNAME=/tmp/krb5cc_vscode kinit [Username]
KRB5CCNAME=/tmp/krb5cc_vscode code

now you can use integrated auth with the connection.

[braibaud]

Found this issue recently, it seems to be added to the December 2025 release but here is a workaround in the meantime. It seems the issue is vscode/mssql extension is not finding the ticket cache so if you register a ticket on your system/macos, vscode doesnt seem to know its there (ADS was similar, you had to kinit inside its sandbox), to get it to work you have to create a file cache, then pass in the env variable KRB5CCNAME when opening vscode so it actually knows where to look :

KRB5CCNAME=/tmp/krb5cc_vscode kinit [Username] KRB5CCNAME=/tmp/krb5cc_vscode code

now you can use integrated auth with the connection.

Hi, thanks for the message, but I am not sure I understand what's the file name and what to put in it; then how do you pass the env. variable? tx.