I'm currently trying to answer a problem that can only be answered by combining the datasets of two different Azure SQL databases (different servers, if that matters).
When using user+password authentication, there was a way to do cross-database queries like this (Azure SQL Database Elastic Queries):
CREATE DATABASE SCOPED CREDENTIAL RemoteCredential WITH
IDENTITY = '<remote database user name>',
SECRET = '<remote database user password>'
CREATE EXTERNAL DATA SOURCE RemoteDatabase WITH (
Location = '<database server URL>',
DATABASE_NAME = '<database name>',
CREDENTIAL = RemoteCredential,
TYPE = RDBMS
)
CREATE EXTERNAL TABLE [dbo].[RemoteTable] (
<Remote table definition>
)
SELECT TOP(1) * FROM [RemoteTable]
That worked very well before but we have since migrated to using only managed-identity logins, and user + password authentication is no longer an option.
I've found below snipped to change the credential for managed identity in the context of accessing Azure Storage Accounts here:
CREATE DATABASE SCOPED CREDENTIAL RemoteCredential
WITH IDENTITY = 'Managed Identity'
But this results in the following error message:
Msg 33047, Level 16, State 5, Line 47
Fail to obtain or decrypt secret for credential 'RemoteCredential'.
I've also tried to provide my personal username or the source database server's name, but with the same result.
Some more details:
Both database servers are part of the same tenant and subscription
I've enabled system-assigned identity on the source database server that I am querying.
I've also created an external source user in the target database for the use with managed identity and granted it the required roles.
My user has the required permissions on both databases.
Access with managed identity from my Management Studio works fine for both databases.
The final solution would have to work with Azure SQL databases in Azure China, but I would be grateful for a solution in Azure Global as well.
My current assumption is that managed identity authentication towards other Azure SQL databases from within a SQL query is not yet supported. But maybe someone else has found a way to make this work.
Have you tried Azure SQL Database elastic query.
Is buggy and slow and it's in preview since 2 years now, but it's the closest thing I could find.
Related
I have created 2 azure security groups (Read-SQL and the second is Write-SQL) in order for them to login into multiple Azure SQL servers via SSMS using their Azure AD identity based on their group membership in order to access multiple databases on those services.
First of all I have configured an admin group on the SQL Server in our Azure tenant.
I have connected to the SQL via SSMS using my credentials and so far so good.
After that I opened a query and typed in master database
CREATE USER [SQL-READ] FROM external provider
ALTER ROLE db_datareader ADD MEMBER [SQL-READ];
(Did the same thing for Write-SQL)
only the user is created and no permission given with an error saying the user does not exist or I don't have permission.
I have Azure global administrator permission in Azure and I don't know why I get this error.
In the bottom line I would like that Read-SQL and Write-SQL will be able to login in to the SQL Server and have access to all databases within it as well as giving Read-SQL reading permissions and to Write-SQL writing permission.
I read a few Microsoft articles but I got even more confused since I don't know if I need to create a login or create a user or a contained user.
Please help
Thank you
Here are few screenshots for better understanding
enter image description here
enter image description here
Read the following articles but only partial success.
https://www.mssqltips.com/sqlservertip/6751/azure-ad-authentication-azure-sql-databases/
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver16
Whether you should create a login, user or contained user will depend on your access and security requirements. However, in Azure SQL Database, users are created per database. So, you can create the login in the master database and then you need to create the associated user in each database on that SQL Server.
This documentation gives more information on creating logins, users and contained users for Azure SQL Database.
I am trying to create an external table to be able to elastic query across databases on my Azure SQL server. I am following the steps outlined in:
https://learn.microsoft.com/en-us/azure/azure-sql/database/elastic-query-getting-started-vertical and https://www.mssqltips.com/sqlservertip/6445/azure-sql-cross-database-query/.
After creating the master key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<master_key_password>';
I then try to create the Database Scoped Credential that I am going to use to access the server for the external database.
CREATE DATABASE SCOPED CREDENTIAL = ElasticDBQueryCred
WITH IDENTITY = '<username I use to login to server>',
SECRET = '<password I use to login to server>';
The error then pops up on IDENTITY that says
Incorrect syntax near 'IDENTITY'. Expecting CREATEDBOPT_BACKUPSTORAGEREDUNDANCY, CREATEDBOPT_CATALOGCOLLATION, CREATEDBOPT_FILESTREAM, CREATEDBOPT_LOGAPPLY, CREATEDBOPT_OTHER, or CREATEDBOPT_PERSISTENT_LOG_BUFFER
There is nothing in the documentation about this.
I'm currently working through an example on cross database queries on SQL Azure. http://www.c-sharpcorner.com/article/cross-database-queries-in-azure-sql/
I'm currently working on the following section -
CREATE EXTERNAL DATA SOURCE RefmyDemoDB2
WITH
(
TYPE=RDBMS,
LOCATION='your server name',
DATABASE_NAME='myDemoDB2',
CREDENTIAL= your “Server admin login”
);
I'm getting the following error The specified credential cannot be found or the user does not have permission to perform this action.
I have the correct LOCATION and DATABASE_NAME however the CREDENTIAL seems wrong. I am using the Server-Admin account that is displayed in the overview of the database server on Azure, I also use this role to log into management studio and can query both databases ok.
Can anyone please advise?
Try this, Creating new Credentials
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'STrongPA5swor$';
CREATE DATABASE SCOPED CREDENTIAL MyLogin
WITH IDENTITY = 'MyLogin',
SECRET = 'STrongPA5swor$';
CREATE EXTERNAL DATA SOURCE PHPSTGRemoteReferenceData
WITH
(
TYPE=RDBMS,
LOCATION='servername',
DATABASE_NAME='DBName',
CREDENTIAL= MyLogin
);
This works for me
I have a Premium P2 SQL Azure Database for my Production App, and for security reasons I've created DB Specific Schemas/Views/Roles and a specific DB User account for reading the Data from SSRS Queries.
Lets just call the server PRIMARY and my database MyApp
The setup script for this is below.
-- On Primary Master
CREATE LOGIN ssrsuser WITH password='******'
-- On Primary MyApp
CREATE USER ssrsuser FOR LOGIN ssrsuser
CREATE ROLE [ssrsreader] AUTHORIZATION [db_owner]
GRANT SELECT ON SCHEMA :: [App] TO [ssrsreader]
GRANT SELECT ON SCHEMA :: [Reports] TO [ssrsreader]
EXEC sp_addrolemember 'ssrsreader', 'ssrsuser'
So our users were putting a LOT of load on the Prod DB and we decided it was time to move the reporting functions off to a secondary sync'd slave database.
Since we're using the SQL Azure Premium Tier, we can enable Active Geo-Replication with a read-only secondary copy. In fact MS even say that it's suitable for read-only workloads such as reporting.
So I've setup the SECONDARY server, enabled the seeding, it's now complete and I can access the readonly copy using the SECONDARY admin user and password.
But the SECONDARY server doesn't have a login for ssrsuser and I while I can create one in SECONDARY.master, I can't DROP RECREATE the user since the SECONDARY.MyApp database is in readonly mode.
Is there any otherway to get around this. I really don't want to have to put the SECONDARY server admin user & password into SSRS connection strings.
There is no need to regenerate SID for ssruser in the user database. It is already there as a result of replication. All you need to do is associate that SID with a LOGIN in the master in the secondary server. This article provides the details.
https://azure.microsoft.com/en-us/documentation/articles/sql-database-geo-replication-security-config/
I hope this helps.
Let me describe the problem, my current portal is using AD login and pwd details to authenticate external users. I will have the new portal which will keep logins and pwds in SQL Server in a table. I need to migrate logins/pwds from AD domain to the sql database so external users can use their old password. Is it possible? How should i approach that?
Thank you for any help,
Rafal
Gathering the list of usernames should not be a problem. However SQL Server stores hashed versions of passwords, and presumably Active Directory does this differently. I don't see any solution except to create a bridge application under Active Directory that logs them into SQL Server under a temporary password and let's them assign a new password.
The permissions should be with the databases. Perhaps you've lost the association between the server logins and the database users. See if their SIDs are different. If so you can fix them with
ALTER USER with login =
or
exec sp_change_users_login (check books online for how to use this)
http://technet.microsoft.com/en-us/library/ms174378.aspx