Plumbs all the SSPI changes through the SqlConnection

twsouthwick · twsouthwick · commit 830f5f8d2f8c · 2025-07-23T14:45:21.000-07:00
diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlConnection.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlConnection.cs
@@ -91,6 +91,7 @@ private static readonly Dictionary<string, SqlColumnEncryptionKeyStoreProvider>
         private IReadOnlyDictionary<string, SqlColumnEncryptionKeyStoreProvider> _customColumnEncryptionKeyStoreProviders;
 
         private Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> _accessTokenCallback;
+        private SspiContextProvider _sspiContextProvider;
 
         internal bool HasColumnEncryptionKeyStoreProvidersRegistered =>
             _customColumnEncryptionKeyStoreProviders is not null && _customColumnEncryptionKeyStoreProviders.Count > 0;
@@ -650,7 +651,7 @@ public override string ConnectionString
                         CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessTokenCallback(connectionOptions);
                     }
                 }
-                ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken, _accessTokenCallback));
+                ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken, _accessTokenCallback, _sspiContextProvider));
                 _connectionString = value;  // Change _connectionString value only after value is validated
                 CacheConnectionStringProperties();
             }
@@ -710,7 +711,7 @@ public string AccessToken
                 }
 
                 // Need to call ConnectionString_Set to do proper pool group check
-                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: value, accessTokenCallback: null));
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: value, accessTokenCallback: null, sspiContextProvider: null));
                 _accessToken = value;
             }
         }
@@ -733,11 +734,21 @@ public Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticati
                     CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessTokenCallback((SqlConnectionString)ConnectionOptions);
                 }
 
-                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: null, accessTokenCallback: value));
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: null, accessTokenCallback: value, sspiContextProvider: null));
                 _accessTokenCallback = value;
             }
         }
 
+        internal SspiContextProvider SspiContextProvider
+        {
+            get { return _sspiContextProvider; }
+            set
+            {
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: value));
+                _sspiContextProvider = value;
+            }
+        }
+
         /// <include file='../../../../../../../doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml' path='docs/members[@name="SqlConnection"]/Database/*' />
         [ResDescription(StringsHelper.ResourceNames.SqlConnection_Database)]
         [ResCategory(StringsHelper.ResourceNames.SqlConnection_DataSource)]
@@ -1035,7 +1046,7 @@ public SqlCredential Credential
                 _credential = value;
 
                 // Need to call ConnectionString_Set to do proper pool group check
-                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: _accessToken, accessTokenCallback: _accessTokenCallback));
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: _accessToken, accessTokenCallback: _accessTokenCallback, sspiContextProvider: null));
             }
         }
 
@@ -2265,7 +2276,7 @@ public static void ChangePassword(string connectionString, string newPassword)
                     throw ADP.InvalidArgumentLength(nameof(newPassword), TdsEnums.MAXLEN_NEWPASSWORD);
                 }
 
-                SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null, accessTokenCallback: null);
+                SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);
 
                 SqlConnectionString connectionOptions = SqlConnectionFactory.Instance.FindSqlConnectionOptions(key);
                 if (connectionOptions.IntegratedSecurity)
@@ -2314,7 +2325,7 @@ public static void ChangePassword(string connectionString, SqlCredential credent
                     throw ADP.InvalidArgumentLength(nameof(newSecurePassword), TdsEnums.MAXLEN_NEWPASSWORD);
                 }
 
-                SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null);
+                SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);
 
                 SqlConnectionString connectionOptions = SqlConnectionFactory.Instance.FindSqlConnectionOptions(key);
 
@@ -2352,7 +2363,7 @@ private static void ChangePassword(string connectionString, SqlConnectionString
             {
                 con?.Dispose();
             }
-            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null);
+            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);
 
             SqlConnectionFactory.Instance.ClearPool(key);
         }
diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs
@@ -135,6 +135,7 @@ internal sealed class SqlInternalConnectionTds : SqlInternalConnection, IDisposa
         SqlFedAuthToken _fedAuthToken = null;
         internal byte[] _accessTokenInBytes;
         internal readonly Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> _accessTokenCallback;
+        internal readonly SspiContextProvider _sspiContextProvider;
 
         private readonly ActiveDirectoryAuthenticationTimeoutRetryHelper _activeDirectoryAuthTimeoutRetryHelper;
 
@@ -460,8 +461,8 @@ internal SqlInternalConnectionTds(
             bool applyTransientFaultHandling = false,
             string accessToken = null,
             IDbConnectionPool pool = null,
-            Func<SqlAuthenticationParameters, CancellationToken,
-            Task<SqlAuthenticationToken>> accessTokenCallback = null) : base(connectionOptions)
+            Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> accessTokenCallback = null,
+            SspiContextProvider sspiContextProvider = null) : base(connectionOptions)
         {
 #if DEBUG
             if (reconnectSessionData != null)
@@ -514,6 +515,7 @@ internal SqlInternalConnectionTds(
             }
 
             _accessTokenCallback = accessTokenCallback;
+            _sspiContextProvider = sspiContextProvider;
 
             _activeDirectoryAuthTimeoutRetryHelper = new ActiveDirectoryAuthenticationTimeoutRetryHelper();
 
diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs
@@ -409,7 +409,7 @@ internal void Connect(ServerInfo serverInfo,
             // AD Integrated behaves like Windows integrated when connecting to a non-fedAuth server
             if (integratedSecurity || authType == SqlAuthenticationMethod.ActiveDirectoryIntegrated)
             {
-                _authenticationProvider = _physicalStateObj.CreateSspiContextProvider();
+                _authenticationProvider = Connection._sspiContextProvider ?? _physicalStateObj.CreateSspiContextProvider();
                 SqlClientEventSource.Log.TryTraceEvent("TdsParser.Connect | SEC | SSPI or Active Directory Authentication Library loaded for SQL Server based integrated authentication");
             }
 
diff --git a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlConnection.cs b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlConnection.cs
@@ -89,6 +89,8 @@ private static readonly Dictionary<string, SqlColumnEncryptionKeyStoreProvider>
 
         private Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> _accessTokenCallback;
 
+        private SspiContextProvider _sspiContextProvider;
+
         internal bool HasColumnEncryptionKeyStoreProvidersRegistered =>
             _customColumnEncryptionKeyStoreProviders is not null && _customColumnEncryptionKeyStoreProviders.Count > 0;
 
@@ -577,6 +579,16 @@ internal int ConnectRetryInterval
             get => ((SqlConnectionString)ConnectionOptions).ConnectRetryInterval;
         }
 
+        internal SspiContextProvider SspiContextProvider
+        {
+            get { return _sspiContextProvider; }
+            set
+            {
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: null,  accessTokenCallback: null, sspiContextProvider: value));
+                _sspiContextProvider = value;
+            }
+        }
+
         /// <include file='../../../../../../../doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml' path='docs/members[@name="SqlConnection"]/ConnectionString/*' />
         [DefaultValue("")]
 #pragma warning disable 618 // ignore obsolete warning about RecommendedAsConfigurable to use SettingsBindableAttribute
@@ -645,7 +657,7 @@ public override string ConnectionString
                         CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessTokenCallback(connectionOptions);
                     }
                 }
-                ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken, _accessTokenCallback));
+                ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken, _accessTokenCallback, _sspiContextProvider));
                 _connectionString = value;  // Change _connectionString value only after value is validated
                 CacheConnectionStringProperties();
             }
@@ -705,7 +717,7 @@ public string AccessToken
 
                 _accessToken = value;
                 // Need to call ConnectionString_Set to do proper pool group check
-                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, _accessToken, null));
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, _accessToken, null, sspiContextProvider: null));
             }
         }
 
@@ -727,7 +739,7 @@ public Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticati
                     CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessTokenCallback((SqlConnectionString)ConnectionOptions);
                 }
 
-                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, null, value));
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, null, value, sspiContextProvider: null));
                 _accessTokenCallback = value;
             }
         }
@@ -1029,7 +1041,7 @@ public SqlCredential Credential
                 _credential = value;
 
                 // Need to call ConnectionString_Set to do proper pool group check
-                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: _accessToken, accessTokenCallback: _accessTokenCallback));
+                ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, _accessToken, _accessTokenCallback, sspiContextProvider: null));
             }
         }
 
@@ -2184,7 +2196,7 @@ public static void ChangePassword(string connectionString, string newPassword)
                     throw ADP.InvalidArgumentLength(nameof(newPassword), TdsEnums.MAXLEN_NEWPASSWORD);
                 }
 
-                SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null, accessTokenCallback: null);
+                SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);
 
                 SqlConnectionString connectionOptions = SqlConnectionFactory.Instance.FindSqlConnectionOptions(key);
                 if (connectionOptions.IntegratedSecurity || connectionOptions.Authentication == SqlAuthenticationMethod.ActiveDirectoryIntegrated)
@@ -2236,7 +2248,7 @@ public static void ChangePassword(string connectionString, SqlCredential credent
                     throw ADP.InvalidArgumentLength(nameof(newSecurePassword), TdsEnums.MAXLEN_NEWPASSWORD);
                 }
 
-                SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null);
+                SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);
 
                 SqlConnectionString connectionOptions = SqlConnectionFactory.Instance.FindSqlConnectionOptions(key);
 
@@ -2277,7 +2289,7 @@ private static void ChangePassword(string connectionString, SqlConnectionString
             {
                 con?.Dispose();
             }
-            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null);
+            SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);
 
             SqlConnectionFactory.Instance.ClearPool(key);
         }
diff --git a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs
@@ -136,6 +136,7 @@ internal sealed class SqlInternalConnectionTds : SqlInternalConnection, IDisposa
         SqlFedAuthToken _fedAuthToken = null;
         internal byte[] _accessTokenInBytes;
         internal readonly Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> _accessTokenCallback;
+        internal readonly SspiContextProvider _sspiContextProvider;
 
         private readonly ActiveDirectoryAuthenticationTimeoutRetryHelper _activeDirectoryAuthTimeoutRetryHelper;
 
@@ -472,8 +473,8 @@ internal SqlInternalConnectionTds(
                 bool applyTransientFaultHandling = false,
                 string accessToken = null,
                 IDbConnectionPool pool = null,
-                Func<SqlAuthenticationParameters, CancellationToken,
-                Task<SqlAuthenticationToken>> accessTokenCallback = null) 
+                Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> accessTokenCallback = null,
+                SspiContextProvider sspiContextProvider = null) 
             : base(connectionOptions)
         {
 #if DEBUG
@@ -525,6 +526,7 @@ internal SqlInternalConnectionTds(
             }
 
             _accessTokenCallback = accessTokenCallback;
+            _sspiContextProvider = sspiContextProvider;
 
             _activeDirectoryAuthTimeoutRetryHelper = new ActiveDirectoryAuthenticationTimeoutRetryHelper();
 
diff --git a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs
@@ -411,7 +411,7 @@ internal void Connect(ServerInfo serverInfo,
             // AD Integrated behaves like Windows integrated when connecting to a non-fedAuth server
             if (integratedSecurity || authType == SqlAuthenticationMethod.ActiveDirectoryIntegrated)
             {
-                _authenticationProvider = _physicalStateObj.CreateSspiContextProvider();
+                _authenticationProvider = Connection._sspiContextProvider ?? _physicalStateObj.CreateSspiContextProvider();
 
                 if (!string.IsNullOrEmpty(serverInfo.ServerSPN))
                 {
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ConnectionPool/SqlConnectionPoolKey.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ConnectionPool/SqlConnectionPoolKey.cs
@@ -18,10 +18,12 @@ internal class SqlConnectionPoolKey : DbConnectionPoolKey
         private readonly SqlCredential _credential;
         private readonly string _accessToken;
         private Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> _accessTokenCallback;
+        private SspiContextProvider _sspiContextProvider;
 
         internal SqlCredential Credential => _credential;
         internal string AccessToken => _accessToken;
         internal Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> AccessTokenCallback => _accessTokenCallback;
+        internal SspiContextProvider SspiContextProvider => _sspiContextProvider;
 
         internal override string ConnectionString
         {
@@ -33,12 +35,18 @@ internal override string ConnectionString
             }
         }
 
-        internal SqlConnectionPoolKey(string connectionString, SqlCredential credential, string accessToken, Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> accessTokenCallback) : base(connectionString)
+        internal SqlConnectionPoolKey(
+            string connectionString,
+            SqlCredential credential,
+            string accessToken,
+            Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> accessTokenCallback,
+            SspiContextProvider sspiContextProvider) : base(connectionString)
         {
             Debug.Assert(credential == null || accessToken == null || accessTokenCallback == null, "Credential, AccessToken, and Callback can't have a value at the same time.");
             _credential = credential;
             _accessToken = accessToken;
             _accessTokenCallback = accessTokenCallback;
+            _sspiContextProvider = sspiContextProvider;
             CalculateHashCode();
         }
 
@@ -47,6 +55,8 @@ private SqlConnectionPoolKey(SqlConnectionPoolKey key) : base(key)
             _credential = key.Credential;
             _accessToken = key.AccessToken;
             _accessTokenCallback = key._accessTokenCallback;
+            _sspiContextProvider = key._sspiContextProvider;
+
             CalculateHashCode();
         }
 
@@ -61,7 +71,8 @@ public override bool Equals(object obj)
                 && _credential == key._credential
                 && ConnectionString == key.ConnectionString
                 && _accessTokenCallback == key._accessTokenCallback
-                && string.CompareOrdinal(_accessToken, key._accessToken) == 0);
+                && string.CompareOrdinal(_accessToken, key._accessToken) == 0
+                && _sspiContextProvider == key._sspiContextProvider);
         }
 
         public override int GetHashCode()
@@ -94,6 +105,11 @@ private void CalculateHashCode()
                     _hashValue = _hashValue * 17 + _accessTokenCallback.GetHashCode();
                 }
             }
+
+            if (_sspiContextProvider != null)
+            {
+                _hashValue = _hashValue * 17 + _sspiContextProvider.GetHashCode();
+            }
         }
     }
 }
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/NativeSspiContextProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/NativeSspiContextProvider.cs
@@ -49,7 +49,7 @@ private void LoadSSPILibrary()
             }
         }
 
-        protected override bool GenerateSspiClientContext(ReadOnlySpan<byte> incomingBlob, IBufferWriter<byte> outgoingBlobWriter, SspiAuthenticationParameters authParams)
+        protected override bool GenerateContext(ReadOnlySpan<byte> incomingBlob, IBufferWriter<byte> outgoingBlobWriter, SspiAuthenticationParameters authParams)
         {
 #if NETFRAMEWORK
             SNIHandle handle = _physicalStateObj.Handle;
@@ -62,7 +62,7 @@ protected override bool GenerateSspiClientContext(ReadOnlySpan<byte> incomingBlo
             var sendLength = s_maxSSPILength;
             var outBuff = outgoingBlobWriter.GetSpan((int)sendLength);
 
-            if (0 != SniNativeWrapper.SniSecGenClientContext(handle, incomingBlob, outBuff, ref sendLength, authParams.Resource))
+            if (SniNativeWrapper.SniSecGenClientContext(handle, incomingBlob, outBuff, ref sendLength, authParams.Resource) != 0)
             {
                 return false;
             }
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/NegotiateSspiContextProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/NegotiateSspiContextProvider.cs
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/SspiContextProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/SspiContextProvider.cs
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlConnectionFactory.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlConnectionFactory.cs

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ private static readonly Dictionary<string, SqlColumnEncryptionKeyStoreProvider>`
`91`	`91`	`private IReadOnlyDictionary<string, SqlColumnEncryptionKeyStoreProvider> _customColumnEncryptionKeyStoreProviders;`
`92`	`92`
`93`	`93`	`private Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> _accessTokenCallback;`
	`94`	`+ private SspiContextProvider _sspiContextProvider;`
`94`	`95`
`95`	`96`	`internal bool HasColumnEncryptionKeyStoreProvidersRegistered =>`
`96`	`97`	`_customColumnEncryptionKeyStoreProviders is not null && _customColumnEncryptionKeyStoreProviders.Count > 0;`
`@@ -650,7 +651,7 @@ public override string ConnectionString`
`650`	`651`	`CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessTokenCallback(connectionOptions);`
`651`	`652`	`}`
`652`	`653`	`}`
`653`		`- ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken, _accessTokenCallback));`
	`654`	`+ ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken, _accessTokenCallback, _sspiContextProvider));`
`654`	`655`	`_connectionString = value; // Change _connectionString value only after value is validated`
`655`	`656`	`CacheConnectionStringProperties();`
`656`	`657`	`}`
`@@ -710,7 +711,7 @@ public string AccessToken`
`710`	`711`	`}`
`711`	`712`
`712`	`713`	`// Need to call ConnectionString_Set to do proper pool group check`
`713`		`- ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: value, accessTokenCallback: null));`
	`714`	`+ ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: value, accessTokenCallback: null, sspiContextProvider: null));`
`714`	`715`	`_accessToken = value;`
`715`	`716`	`}`
`716`	`717`	`}`
`@@ -733,11 +734,21 @@ public Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticati`
`733`	`734`	`CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessTokenCallback((SqlConnectionString)ConnectionOptions);`
`734`	`735`	`}`
`735`	`736`
`736`		`- ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: null, accessTokenCallback: value));`
	`737`	`+ ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: null, accessTokenCallback: value, sspiContextProvider: null));`
`737`	`738`	`_accessTokenCallback = value;`
`738`	`739`	`}`
`739`	`740`	`}`
`740`	`741`
	`742`	`+ internal SspiContextProvider SspiContextProvider`
	`743`	`+ {`
	`744`	`+ get { return _sspiContextProvider; }`
	`745`	`+ set`
	`746`	`+ {`
	`747`	`+ ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, credential: _credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: value));`
	`748`	`+ _sspiContextProvider = value;`
	`749`	`+ }`
	`750`	`+ }`
	`751`	`+`
`741`	`752`	`/// <include file='../../../../../../../doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml' path='docs/members[@name="SqlConnection"]/Database/*' />`
`742`	`753`	`[ResDescription(StringsHelper.ResourceNames.SqlConnection_Database)]`
`743`	`754`	`[ResCategory(StringsHelper.ResourceNames.SqlConnection_DataSource)]`
`@@ -1035,7 +1046,7 @@ public SqlCredential Credential`
`1035`	`1046`	`_credential = value;`
`1036`	`1047`
`1037`	`1048`	`// Need to call ConnectionString_Set to do proper pool group check`
`1038`		`- ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: _accessToken, accessTokenCallback: _accessTokenCallback));`
	`1049`	`+ ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: _accessToken, accessTokenCallback: _accessTokenCallback, sspiContextProvider: null));`
`1039`	`1050`	`}`
`1040`	`1051`	`}`
`1041`	`1052`
`@@ -2265,7 +2276,7 @@ public static void ChangePassword(string connectionString, string newPassword)`
`2265`	`2276`	`throw ADP.InvalidArgumentLength(nameof(newPassword), TdsEnums.MAXLEN_NEWPASSWORD);`
`2266`	`2277`	`}`
`2267`	`2278`
`2268`		`- SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null, accessTokenCallback: null);`
	`2279`	`+ SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);`
`2269`	`2280`
`2270`	`2281`	`SqlConnectionString connectionOptions = SqlConnectionFactory.Instance.FindSqlConnectionOptions(key);`
`2271`	`2282`	`if (connectionOptions.IntegratedSecurity)`
`@@ -2314,7 +2325,7 @@ public static void ChangePassword(string connectionString, SqlCredential credent`
`2314`	`2325`	`throw ADP.InvalidArgumentLength(nameof(newSecurePassword), TdsEnums.MAXLEN_NEWPASSWORD);`
`2315`	`2326`	`}`
`2316`	`2327`
`2317`		`- SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null);`
	`2328`	`+ SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);`
`2318`	`2329`
`2319`	`2330`	`SqlConnectionString connectionOptions = SqlConnectionFactory.Instance.FindSqlConnectionOptions(key);`
`2320`	`2331`
`@@ -2352,7 +2363,7 @@ private static void ChangePassword(string connectionString, SqlConnectionString`
`2352`	`2363`	`{`
`2353`	`2364`	`con?.Dispose();`
`2354`	`2365`	`}`
`2355`		`- SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null);`
	`2366`	`+ SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);`
`2356`	`2367`
`2357`	`2368`	`SqlConnectionFactory.Instance.ClearPool(key);`
`2358`	`2369`	`}`
Original file line number	Diff line number	Diff line change
`@@ -409,7 +409,7 @@ internal void Connect(ServerInfo serverInfo,`
`409`	`409`	`// AD Integrated behaves like Windows integrated when connecting to a non-fedAuth server`
`410`	`410`	`if (integratedSecurity \|\| authType == SqlAuthenticationMethod.ActiveDirectoryIntegrated)`
`411`	`411`	`{`
`412`		`- _authenticationProvider = _physicalStateObj.CreateSspiContextProvider();`
	`412`	`+ _authenticationProvider = Connection._sspiContextProvider ?? _physicalStateObj.CreateSspiContextProvider();`
`413`	`413`	`SqlClientEventSource.Log.TryTraceEvent("TdsParser.Connect \| SEC \| SSPI or Active Directory Authentication Library loaded for SQL Server based integrated authentication");`
`414`	`414`	`}`
`415`	`415`
Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,8 @@ private static readonly Dictionary<string, SqlColumnEncryptionKeyStoreProvider>`
`89`	`89`
`90`	`90`	`private Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> _accessTokenCallback;`
`91`	`91`
	`92`	`+ private SspiContextProvider _sspiContextProvider;`
	`93`	`+`
`92`	`94`	`internal bool HasColumnEncryptionKeyStoreProvidersRegistered =>`
`93`	`95`	`_customColumnEncryptionKeyStoreProviders is not null && _customColumnEncryptionKeyStoreProviders.Count > 0;`
`94`	`96`
`@@ -577,6 +579,16 @@ internal int ConnectRetryInterval`
`577`	`579`	`get => ((SqlConnectionString)ConnectionOptions).ConnectRetryInterval;`
`578`	`580`	`}`
`579`	`581`
	`582`	`+ internal SspiContextProvider SspiContextProvider`
	`583`	`+ {`
	`584`	`+ get { return _sspiContextProvider; }`
	`585`	`+ set`
	`586`	`+ {`
	`587`	`+ ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: value));`
	`588`	`+ _sspiContextProvider = value;`
	`589`	`+ }`
	`590`	`+ }`
	`591`	`+`
`580`	`592`	`/// <include file='../../../../../../../doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml' path='docs/members[@name="SqlConnection"]/ConnectionString/*' />`
`581`	`593`	`[DefaultValue("")]`
`582`	`594`	`#pragma warning disable 618 // ignore obsolete warning about RecommendedAsConfigurable to use SettingsBindableAttribute`
`@@ -645,7 +657,7 @@ public override string ConnectionString`
`645`	`657`	`CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessTokenCallback(connectionOptions);`
`646`	`658`	`}`
`647`	`659`	`}`
`648`		`- ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken, _accessTokenCallback));`
	`660`	`+ ConnectionString_Set(new SqlConnectionPoolKey(value, _credential, _accessToken, _accessTokenCallback, _sspiContextProvider));`
`649`	`661`	`_connectionString = value; // Change _connectionString value only after value is validated`
`650`	`662`	`CacheConnectionStringProperties();`
`651`	`663`	`}`
`@@ -705,7 +717,7 @@ public string AccessToken`
`705`	`717`
`706`	`718`	`_accessToken = value;`
`707`	`719`	`// Need to call ConnectionString_Set to do proper pool group check`
`708`		`- ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, _accessToken, null));`
	`720`	`+ ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, _accessToken, null, sspiContextProvider: null));`
`709`	`721`	`}`
`710`	`722`	`}`
`711`	`723`
`@@ -727,7 +739,7 @@ public Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticati`
`727`	`739`	`CheckAndThrowOnInvalidCombinationOfConnectionOptionAndAccessTokenCallback((SqlConnectionString)ConnectionOptions);`
`728`	`740`	`}`
`729`	`741`
`730`		`- ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, null, value));`
	`742`	`+ ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, null, value, sspiContextProvider: null));`
`731`	`743`	`_accessTokenCallback = value;`
`732`	`744`	`}`
`733`	`745`	`}`
`@@ -1029,7 +1041,7 @@ public SqlCredential Credential`
`1029`	`1041`	`_credential = value;`
`1030`	`1042`
`1031`	`1043`	`// Need to call ConnectionString_Set to do proper pool group check`
`1032`		`- ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, accessToken: _accessToken, accessTokenCallback: _accessTokenCallback));`
	`1044`	`+ ConnectionString_Set(new SqlConnectionPoolKey(_connectionString, _credential, _accessToken, _accessTokenCallback, sspiContextProvider: null));`
`1033`	`1045`	`}`
`1034`	`1046`	`}`
`1035`	`1047`
`@@ -2184,7 +2196,7 @@ public static void ChangePassword(string connectionString, string newPassword)`
`2184`	`2196`	`throw ADP.InvalidArgumentLength(nameof(newPassword), TdsEnums.MAXLEN_NEWPASSWORD);`
`2185`	`2197`	`}`
`2186`	`2198`
`2187`		`- SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null, accessTokenCallback: null);`
	`2199`	`+ SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential: null, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);`
`2188`	`2200`
`2189`	`2201`	`SqlConnectionString connectionOptions = SqlConnectionFactory.Instance.FindSqlConnectionOptions(key);`
`2190`	`2202`	`if (connectionOptions.IntegratedSecurity \|\| connectionOptions.Authentication == SqlAuthenticationMethod.ActiveDirectoryIntegrated)`
`@@ -2236,7 +2248,7 @@ public static void ChangePassword(string connectionString, SqlCredential credent`
`2236`	`2248`	`throw ADP.InvalidArgumentLength(nameof(newSecurePassword), TdsEnums.MAXLEN_NEWPASSWORD);`
`2237`	`2249`	`}`
`2238`	`2250`
`2239`		`- SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null);`
	`2251`	`+ SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);`
`2240`	`2252`
`2241`	`2253`	`SqlConnectionString connectionOptions = SqlConnectionFactory.Instance.FindSqlConnectionOptions(key);`
`2242`	`2254`
`@@ -2277,7 +2289,7 @@ private static void ChangePassword(string connectionString, SqlConnectionString`
`2277`	`2289`	`{`
`2278`	`2290`	`con?.Dispose();`
`2279`	`2291`	`}`
`2280`		`- SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null);`
	`2292`	`+ SqlConnectionPoolKey key = new SqlConnectionPoolKey(connectionString, credential, accessToken: null, accessTokenCallback: null, sspiContextProvider: null);`
`2281`	`2293`
`2282`	`2294`	`SqlConnectionFactory.Instance.ClearPool(key);`
`2283`	`2295`	`}`
Original file line number	Diff line number	Diff line change
`@@ -411,7 +411,7 @@ internal void Connect(ServerInfo serverInfo,`
`411`	`411`	`// AD Integrated behaves like Windows integrated when connecting to a non-fedAuth server`
`412`	`412`	`if (integratedSecurity \|\| authType == SqlAuthenticationMethod.ActiveDirectoryIntegrated)`
`413`	`413`	`{`
`414`		`- _authenticationProvider = _physicalStateObj.CreateSspiContextProvider();`
	`414`	`+ _authenticationProvider = Connection._sspiContextProvider ?? _physicalStateObj.CreateSspiContextProvider();`
`415`	`415`
`416`	`416`	`if (!string.IsNullOrEmpty(serverInfo.ServerSPN))`
`417`	`417`	`{`
Original file line number	Diff line number	Diff line change
`@@ -18,10 +18,12 @@ internal class SqlConnectionPoolKey : DbConnectionPoolKey`
`18`	`18`	`private readonly SqlCredential _credential;`
`19`	`19`	`private readonly string _accessToken;`
`20`	`20`	`private Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> _accessTokenCallback;`
	`21`	`+ private SspiContextProvider _sspiContextProvider;`
`21`	`22`
`22`	`23`	`internal SqlCredential Credential => _credential;`
`23`	`24`	`internal string AccessToken => _accessToken;`
`24`	`25`	`internal Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> AccessTokenCallback => _accessTokenCallback;`
	`26`	`+ internal SspiContextProvider SspiContextProvider => _sspiContextProvider;`
`25`	`27`
`26`	`28`	`internal override string ConnectionString`
`27`	`29`	`{`
`@@ -33,12 +35,18 @@ internal override string ConnectionString`
`33`	`35`	`}`
`34`	`36`	`}`
`35`	`37`
`36`		`- internal SqlConnectionPoolKey(string connectionString, SqlCredential credential, string accessToken, Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> accessTokenCallback) : base(connectionString)`
	`38`	`+ internal SqlConnectionPoolKey(`
	`39`	`+ string connectionString,`
	`40`	`+ SqlCredential credential,`
	`41`	`+ string accessToken,`
	`42`	`+ Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> accessTokenCallback,`
	`43`	`+ SspiContextProvider sspiContextProvider) : base(connectionString)`
`37`	`44`	`{`
`38`	`45`	`Debug.Assert(credential == null \|\| accessToken == null \|\| accessTokenCallback == null, "Credential, AccessToken, and Callback can't have a value at the same time.");`
`39`	`46`	`_credential = credential;`
`40`	`47`	`_accessToken = accessToken;`
`41`	`48`	`_accessTokenCallback = accessTokenCallback;`
	`49`	`+ _sspiContextProvider = sspiContextProvider;`
`42`	`50`	`CalculateHashCode();`
`43`	`51`	`}`
`44`	`52`
`@@ -47,6 +55,8 @@ private SqlConnectionPoolKey(SqlConnectionPoolKey key) : base(key)`
`47`	`55`	`_credential = key.Credential;`
`48`	`56`	`_accessToken = key.AccessToken;`
`49`	`57`	`_accessTokenCallback = key._accessTokenCallback;`
	`58`	`+ _sspiContextProvider = key._sspiContextProvider;`
	`59`	`+`
`50`	`60`	`CalculateHashCode();`
`51`	`61`	`}`
`52`	`62`
`@@ -61,7 +71,8 @@ public override bool Equals(object obj)`
`61`	`71`	`&& _credential == key._credential`
`62`	`72`	`&& ConnectionString == key.ConnectionString`
`63`	`73`	`&& _accessTokenCallback == key._accessTokenCallback`
`64`		`- && string.CompareOrdinal(_accessToken, key._accessToken) == 0);`
	`74`	`+ && string.CompareOrdinal(_accessToken, key._accessToken) == 0`
	`75`	`+ && _sspiContextProvider == key._sspiContextProvider);`
`65`	`76`	`}`
`66`	`77`
`67`	`78`	`public override int GetHashCode()`
`@@ -94,6 +105,11 @@ private void CalculateHashCode()`
`94`	`105`	`_hashValue = _hashValue * 17 + _accessTokenCallback.GetHashCode();`
`95`	`106`	`}`
`96`	`107`	`}`
	`108`	`+`
	`109`	`+ if (_sspiContextProvider != null)`
	`110`	`+ {`
	`111`	`+ _hashValue = _hashValue * 17 + _sspiContextProvider.GetHashCode();`
	`112`	`+ }`
`97`	`113`	`}`
`98`	`114`	`}`
`99`	`115`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ private void LoadSSPILibrary()`
`49`	`49`	`}`
`50`	`50`	`}`
`51`	`51`
`52`		`- protected override bool GenerateSspiClientContext(ReadOnlySpan<byte> incomingBlob, IBufferWriter<byte> outgoingBlobWriter, SspiAuthenticationParameters authParams)`
	`52`	`+ protected override bool GenerateContext(ReadOnlySpan<byte> incomingBlob, IBufferWriter<byte> outgoingBlobWriter, SspiAuthenticationParameters authParams)`
`53`	`53`	`{`
`54`	`54`	`#if NETFRAMEWORK`
`55`	`55`	`SNIHandle handle = _physicalStateObj.Handle;`
`@@ -62,7 +62,7 @@ protected override bool GenerateSspiClientContext(ReadOnlySpan<byte> incomingBlo`
`62`	`62`	`var sendLength = s_maxSSPILength;`
`63`	`63`	`var outBuff = outgoingBlobWriter.GetSpan((int)sendLength);`
`64`	`64`
`65`		`- if (0 != SniNativeWrapper.SniSecGenClientContext(handle, incomingBlob, outBuff, ref sendLength, authParams.Resource))`
	`65`	`+ if (SniNativeWrapper.SniSecGenClientContext(handle, incomingBlob, outBuff, ref sendLength, authParams.Resource) != 0)`
`66`	`66`	`{`
`67`	`67`	`return false;`
`68`	`68`	`}`