From d5918c15fdedfb2dfd5b364c655a8b1c87e671be Mon Sep 17 00:00:00 2001
From: Ubuntu <renaud.hartert@databricks.com>
Date: Fri, 31 Oct 2025 19:40:08 +0000
Subject: [PATCH] Fix proxy canonical override

---
 NEXT_CHANGELOG.md                                            | 2 ++
 .../main/java/com/databricks/sdk/core/utils/ProxyUtils.java  | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index 8f5e9e908..03b21cb1a 100644
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -6,6 +6,8 @@
 
 ### Bug Fixes
 
+* Fix proxy SPNego authentication to respect krb5.conf canonicalization settings instead of forcing hostname canonicalization. The SDK now defers to the Kerberos library configuration for hostname resolution. **Migration note**: If you experience new Kerberos authentication failures with proxy servers after upgrading, verify that your `krb5.conf` canonicalization settings (`rdns` and `dns_canonicalize_hostname`) are correctly configured for your environment.
+
 ### Security Vulnerabilities
 
 ### Documentation
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java
index b02a38d39..2f686e9e9 100644
--- a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java
+++ b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java
@@ -128,7 +128,10 @@ public Principal getUserPrincipal() {
         .setDefaultCredentialsProvider(credsProvider)
         .setDefaultAuthSchemeRegistry(
             RegistryBuilder.<AuthSchemeProvider>create()
-                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true))
+                // Use SPNegoSchemeFactory with useCanonicalHostname=false to defer hostname
+                // canonicalization to the Kerberos library based on krb5.conf settings
+                // (rdns, dns_canonicalize_hostname) rather than forcing canonicalization.
+                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, false))
                 .build());
   }