Create YAML Kerberos Test Pipeline#4252
Open
paulmedynski wants to merge 25 commits intomainfrom
Open
Conversation
ADO does not macro-expand secret variables inside inline pwsh scripts. Use env: mapping to pass REMOTE_TCP_CONN_STRING, REMOTE_NP_CONN_STRING, KerberosDomainUser, KerberosDomainPassword, and managedSNI as environment variables, then access them via $env:VAR_NAME in PowerShell.
- BuildAll BuildAllConfigurations (Windows) - BuildAll BuildSqlClient (Linux) - Remove nonexistent BuildTestsNetFx/BuildTestsNetCore steps (tests build via RunTests) - Add -p:ReferenceType=Project for all build and test steps - Add -p:GenerateNuget=false to skip package generation - Use multi-line msbuildArguments for readability
BuildAllConfigurations builds GenAPI tools and cross-OS packages which are not needed for testing and fail due to .NET 10 SDK incompatibility with VS 2022. BuildSqlClient is leaner — builds only the driver, which is all the test pipeline needs.
VS MSBuild (MSBuild@1) does not fully support .NET 10 SDK, causing NETSDK1005 errors when resolving P2P references across TFMs (net8.0 target for Microsoft.SqlServer.Server which only targets net46/netstandard2.0). - Windows netfx: use -t:BuildNetFx (only builds net462, avoids net8.0) - Windows netcore: switch to DotNetCoreCLI@2 (dotnet msbuild) which uses the .NET 10 SDK properly, matching the Linux build pattern - Remove separate Restore step for netcore (restore runs inside BuildSqlClient dependency chain) - Linux: unchanged (already uses DotNetCoreCLI@2)
The BuildSqlClient target restores SqlServer.Server standalone for net46/netstandard2.0, but when the NetCore driver P2P references it, the .NET 10 SDK looks for net8.0 in the assets file and fails with NETSDK1005. Running a full -t:restore first (which restores all projects including P2P dependency chains) creates proper assets files before the build begins. This matches the CI pipeline pattern.
BuildSqlClient succeeds locally but fails on ADO agents with NETSDK1005 because stale project.assets.json files from previous runs are cached in the agent workspace. Adding an explicit clean of obj/ and artifacts/ folders before restore ensures a fresh build environment.
…uildTools=false Match the CI pipeline pattern exactly: - Use MSBuild@1 (VS MSBuild) which is what the CI pipeline uses on Windows - Use BuildAllConfigurations target (what CI uses, builds all OS variants) - Add -p:BuildTools=false to skip GenAPI tools (avoids net10/VS2022 compat issue) - Remove clean step (not needed with correct build target) - BuildSqlClient with DotNetCoreCLI@2 fails on agents due to SqlServer.Server being resolved for net8.0 through P2P dependency chain, even though it only works locally
BuildAllConfigurations uses BuildNetCoreAllOS which builds the driver for all OS variants (Unix, Windows_NT, AnyOS). This is unnecessary for a test pipeline and may contribute to the NETSDK1005 error where SqlServer.Server is incorrectly built for net8.0. BuildNetCore builds only for the host OS and is the appropriate target for test pipelines that just need the driver built locally.
Build the netcore driver csproj directly with 'dotnet build' via DotNetCoreCLI@2 instead of using build.proj targets (BuildNetCore, BuildAllConfigurations). build.proj's dependency chain includes BuildSqlServer which causes Microsoft.SqlServer.Server.csproj to be built with TargetFramework=net8.0 as a global property, triggering NETSDK1005 because its assets file only has targets for net46 and netstandard2.0. Building the driver csproj directly avoids this entirely: the driver uses a PackageReference to SqlServer.Server (version 1.0.0 from NuGet), not a ProjectReference. The driver's P2P dependencies (Abstractions, Logging) are automatically built via their ProjectReferences. The RunTests step continues to use build.proj since it just invokes 'dotnet test' via Exec, which uses the dotnet SDK for TFM resolution.
Root cause: self-hosted ADO agents preserve workspace between runs. Stale project.assets.json files from prior runs (which may have been restored via build.proj with different global properties) cause NETSDK1005 when the build tries to use them. Changes: - Add workspace.clean=all at the job level for full workspace purge - Explicitly delete obj/ dirs for all P2P dependencies before build - Separate restore step with 'dotnet restore' (proper TFM negotiation) - Build with --no-restore to prevent implicit restore from skipping the fresh restore output
The .NET 10 SDK on self-hosted ADO agents fails to negotiate TFMs for ProjectReferences from net8.0/net9.0 projects to netstandard2.0 projects. Instead of negotiating net8.0 -> netstandard2.0, MSBuild passes TargetFramework=net8.0 directly, causing NETSDK1005 because the assets file only has targets for netstandard2.0. The workaround creates a temporary Directory.Build.targets that sets SetTargetFramework metadata on Extensions P2P references. When SetTargetFramework is set, MSBuild skips the GetTargetFrameworks negotiation protocol and uses the specified TFM directly. The file is removed before the test step to avoid affecting test builds.
…t:BuildNetCore The .NET 10 SDK fails to negotiate TFMs for P2P references to netstandard2.0 projects (Abstractions, Logging) when building the .csproj directly, causing NETSDK1005. Using build.proj -t:BuildNetCore routes through the standard build targets which handle dependencies correctly, matching the approach used in the Windows-netfx stage.
- Added missing Kerberos password variable.
- Restricting the build steps to use OS-specific targets.
…y used as the MSBuild TargetFramework.
- Extracted the comon build/test steps to avoid duplication.
- Reduced job timeout to 90 minutes from 360 (6 hours!).
paulmedynski
added
the
Hotfix Candidate 🚑
Contributor
There was a problem hiding this comment.
Pull request overview
Redesigns the Kerberos authentication test pipeline under eng/pipelines/kerberos/ to use shared templates and DotNetCoreCLI@2, while expanding schedule/branch coverage and improving resiliency.
Changes:
- Replaces per-OS inline build/test logic with a shared
build-and-test-steps.ymltemplate (build + unit/functional/manual + publish artifacts). - Updates the main Kerberos pipeline to a daily schedule across
main,release/6.1, andrelease/7.0, and renames matrixtargetFramework→testFrameworkto avoid MSBuild property collisions. - Refreshes Linux Kerberos domain join/cleanup templates and adds task retry logic to build/test steps.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| eng/pipelines/kerberos/sqlclient-kerberos.yml | New end-to-end Kerberos pipeline definition (Windows + Linux matrices + code coverage merge). |
| eng/pipelines/kerberos/build-and-test-steps.yml | New shared build/test/publish steps template using DotNetCoreCLI@2 and retry settings. |
| eng/pipelines/kerberos/linux-init-step.yml | New Linux Kerberos domain join + kinit template used by Linux stage. |
| eng/pipelines/kerberos/linux-cleanup-step.yml | New Linux cleanup template for leaving domain and destroying credentials. |
paulmedynski
commented
May 1, 2026
| clean: all # Purge obj/artifacts from prior runs on self-hosted agents | ||
| strategy: | ||
| matrix: | ||
| # Azure Pipelines exposes matrix variables as environment variables for each step. |
Contributor
Author
There was a problem hiding this comment.
This was fun to diagnose. The surprising interactions between pipeline variables, environment variables, and MSBuild was causing the transitive SqlServer build to use net9.0, which it doesn't target. Ooof!
| # Run tests in separate steps to permit focused retries. | ||
| # --------------------------------------------------------------------------- | ||
|
|
||
| # Run the Unit Test suite. |
Contributor
Author
There was a problem hiding this comment.
I confirmed that the old Classic Kerberos pipeline was running all available tests as well - no extra filters, no test sets. The new build.proj Test* targets achieve the same thing.
I suspect we could narrow this down substantially, but that is an optimization for another day.
|
|
||
| # Give our coverage files a unique name to make it clear where they originated when we download | ||
| # the artifacts from all jobs in the merge stage. | ||
| - pwsh: | |
Contributor
Author
There was a problem hiding this comment.
I confirmed that the test results and code coverage are published to the pipeline run, and show up in the Test and Code Coverage tabs.
Contributor
Author
There was a problem hiding this comment.
The Linux Kerberos init/cleanup was brought over directly from the Classic pipeline tasks.
| branches: | ||
| include: | ||
| - main | ||
| - release/6.1 |
Contributor
Author
There was a problem hiding this comment.
We will have to backport this new pipeline to 7.0 and 6.1, with appropriate tweaks for the build/test targets on those branches.
| pool: | ||
| name: ADO-Trusted-Domain-Win-WestUS2 | ||
| demands: | ||
| - ImageOverride -equals ADO-MMS22-SQL19 |
Contributor
Author
There was a problem hiding this comment.
We can probably use a slimmer image here - we don't use a local SQL Server at all. Same for Linux. A future optimization.
paulmedynski
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4252 +/- ##
==========================================
- Coverage 66.05% 64.52% -1.54%
==========================================
Files 277 272 -5
Lines 42988 65783 +22795
==========================================
+ Hits 28396 42445 +14049
- Misses 14592 23338 +8746
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
paulmedynski
added
the
Area\Engineering
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Redesigns the Kerberos authentication test pipeline with the following improvements:
Changes
MSBuild@1tasks withDotNetCoreCLI@2for better .NET tooling integrationbuild-and-test-steps.ymltemplate shared by both Windows and Linux stagestargetFrameworktotestFrameworkto prevent MSBuild property collision (fixes NETSDK1005 build failures)retryCountOnTaskFailure) to test steps for improved resilienceJob Breakdown (10 total)
Files Modified
eng/pipelines/kerberos/sqlclient-kerberos.yml- Main pipeline definitioneng/pipelines/kerberos/build-and-test-steps.yml- NEW shared steps templateeng/pipelines/kerberos/linux-init-step.yml- Formatting updateseng/pipelines/kerberos/linux-cleanup-step.yml- Formatting updatesValidation
testFrameworkvalues (net8.0, net9.0) — no build failuresRelated
Fixes NETSDK1005 error where matrix variable names collided with MSBuild properties.