I followed this tutorial from Azure team: Connect to and manage an `Azure SQL Managed Instance in Microsoft Purview. As shown in the image 1 below, the scan process successfully tested the connection. But later the scanning fails with the following error:
Error: (3860) Unable to access sql server with the specified connection parameters. Please ensure that the connection parameters can login to 'master' db to enumerate the other databases in the sql server.
Question: What I may be doing wrong, and can we resolve the issue?
Remarks: As shown in the image below, the database selected for scanning is AdventureWorksLT2019. In Purview, for Authentication, I am using System Assigned Managed Identity (SAMI) that is the name myPurview of my purview account. And myPurview is a member of db_datareader and db_datawriter in the database. Moreover, in the New Login window of SSMS (image 2 below), when I enter myPurview as as AAD account and click ok, the login window recognizes myPurview as a principal identity successfully add it as a login. I verified it by trying the same process by adding a fake name testPuview, and the same login dialog did not recognize it and threw the error Principal testPuview could not be found or this principal type is not supported. (Microsoft SQL Server, Error: 33130).
After myPurview was successfully added as a login, I then added it to database with the read/write permissions. I also followed the Configure public endpoint in Azure SQL Managed Instance article. So, I am not sure what may be causing the error
Image 1:
Image 2:
As per my understanding, Azure purview is failing to scan your Azure SQL managed Instance. A managed VNET IR needs to be created to have the managed private endpoints enabled. Please make sure to check if the option is grey out. Managed private endpoint requires you to set up managed vnet integration runtimes first and also requires data source admin roles. Please let me know if you need further assistance on this.
Related
When I try to add a SQL Server connector to my Logic App I get an error stating "Please check your account info and/or permissions and try again. Details: BadGateway More diagnostic information: x-ms-client-request-id is 'xx-x--xxxxx--xxx'."
I have Contributor access for the Logic App resource. When I try to add a new API Connection or if I try to use an existing connection it throws the same permission error.
Can anyone help me here to understand what additional access/permission is required to access this connector in a Logic App?
Note: My SQL database is on Azure not on-prem.
We have reproduced the same from our end and checked the same. You are receiving this error is might be due to any of the following reasons.
The firewall settings that you have arranged.
Connection settings while adding the SQL SERVER Connector.
The firewall settings that you have arranged.
For this you can go to your Firewall settings from overview pane and set the start and end ip addresses.
Connection settings while adding the SQL SERVER Connector.
For this make sure while you are adding Authentication type for the connector to give correct credentials.
For better results, make sure you are choosing Use both SQL and Azure AD authentication while creating SQL SERVER and set admin credentials for both SQL and Azure AD Authentication types so that you can use any of the either options.
What caused this for me was calling a scalar valued function in a stored procedure block instead of ... a stored procedure. Once I switched to an actual stored proc everything was fine.
I'm new to SQL Server. I was a postgres user before. I installed the default SQL Server on my local machine and I'm trying to get an old react with node js application of mine working with a SQL Server. When ever my frontend makes more than 1 call to the backend, if my SQL Server has admin privileges it throws
Error: 17810: Could not connect because the maximum number of '1' dedicated administrator connections already exists.
If not, it throws:
Error 18451: Only administrators may connect at this time.
I checked my database configs and it's set to MULTI_USERS, so I don't understand why I can't login without admin privileges. Can someone help me with this? I wasn't able to find anything online.
My NodeJS backend is using TypeORM to connect to the database
The dedicated administrator connection is a different kind of connection. It's not just "a connection being made by someone with administrative access". You would use the DAC when the SQL instance is having some kind problem, and you can't connect at all because resources are all tied up. SQL will reserve some resources especially for the DAC connection to make sure you can still connect.
A DAC connection can be made by specifying ADMIN: as part of your connection string, which will connect to the assigned DAC port.
You shouldn't use this for "routine" admin work. Just connect using a login with the required administrative server roles (eg, sysadmin). You definitely shouldn't use this as part of a regular application's connection string. You shouldn't be using a SQL Server sysadmin login either. Create a user with the appropriate permissions for your application, and don't use the admin connection.
Regarding your second issue: Make sure the instance wasn't set to start in single user or minimum configuration mode using startup flags. Note that this is for the whole instance, it's not the same as the configuration for an individual database.
I am following http://msdn.microsoft.com/en-us/library/ff647294.aspx to add authentication to a WCF. My SQL Server is on a different machine than the development server. In Step 1, I am not using SQLExpress but using SQL Server 2012. When I get to the Step 8: Create a User in the User Store, under Security Tab of ASP.net Web Site Administration Tool I see the following message:
There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.
The following message may help in diagnosing the problem: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
So looks like setting Windows Authentication is the problem. I am not sure what in the multi-step process I have to modify to add authentication to my WCF. Any help will be appreciated.
The example in Your link Access to SQL server is given to a local user NetworkService. This is the default Identity for the Application pool.
In Your case you cannot use a local user account, since the SQL Server is on a different machine.
You need to:
Create a domain account
Grant Access to SQL server to that domain account
Change the Identity for Your Application pool to that of the domain accout
I have an analysis services cube in SQL server 2005 which I'm connecting to via an excel front end.
When I connect via one user its fine, but when I log on to the same machine as another user I get an error in my excel spreadhseet - "user...does not have access to the [Cube name] database"
Obviously the first user has the correct permissions, but how do I set up analysis services to allow other users to join the party?
Login to the machine with an account that is an administrator (Domain\CubeAdmin) on the cube. Connect to the cube in BIDS (run devenv.exe and open Analysis Services Database).
Under Roles, create a reader role and in the Membership tab, add the user account (Domain\NewUser).
All this will only work if the SSAS Server Administrator gives the Domain\NewUser access to the server.
The Windows user accounts that you are trying to access SQL Analysis Services with need to be added to the Roles in the Cube that would allow the permissions you want.
If you are connecting over HTTP using msmdpump.dll through IIS you need to turn on Authentication for that site and allow the Windows user account to access the site.
If the IIS site using msmdpump is on another machine and you aren't using a domain then the accounts would need to exist on both servers with the same password.
I know this is old but for other's reference, I had to repair the MS Office install to resolve a connectivity issue with SSAS. The user was added to the role, but the error "Cannot connect to server" was displayed when connecting.
Raj has already answered the initial question... You need users to be set up with at least read access to your SSAS instance.
However, the error "Cannot connect to server" does not necessarily mean it's an authentication issue, it actually doesn't mean much. I've seen this error on Excel 2007 on various occasions, where the underlying error could be anything, this is just a generic error from Excel.
Several aspects that caused problems on my end were (things to check):
User has access to the web site (if not using anonymous auth)
ADOMD and OLEDB for Analysis Services are installed locally (correct version)
User propagated to SSAS has read access to instance (are you using ApplicationPoolIdentity?)
Handler mapping (script mapping for *.dll) is set up
For a complete guide of how to set up HTTP access for SSAS check:
Microsoft - Configure HTTP Access to SSAS via IIS
Cheers
is it possible to use a database created in a Azure VM as a data source for model which is created in Azure Analysis Services?
So far, when I specify connection properties for the model in the web designer and test connection, I get an error stating "a connection was successfully established with the server, but then an error occurred during the login process. (provider SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
I can connect to the server via SSMS and via RDP.
I created a self-signed certificate in the azure key vault and was able to make the SQL server use it. However I can't seem to find out how to make use of it when connecting the model.
Does anyone know if it's possible and if so, what should I do to make it work?
In the end I managed to make it work. For anyone with similar problem, I will write my solution below.
For the error "The certificate chain was issued by an authority that is not trusted" - just as discussed in the thread linked by TJB in comment, this was because I did not have a CA signed certificate, but a self-signed one.
A CA signed certificate from Azure would probably solve the issue, but I tried the Let's Encrypt site (also linked in the other thread). The issue I had with Let's Encrypt was that I had a windows server, while they natively support linux-based systems.
However I found an article by Daniel Hutmacher called Encrypting SQL Server connections with Let’s Encrypt certificates which was solving the very issue I had.
(as for the client tool, the current version is different from the one described in the article, but you can still download the old version on github. I used the lastest november 2017 release). With this I was able to generate and add a CA signed certificate to SQL server.
At this point, I created a model in Azure Analytics Services, used Azure Database as type of source/connection and filled in the connection to my VM SQL server. I saw my database tables, but when I tried to query data, I got a new error, stating that the AAS need an On-premise data gateway set up.
The Microsoft docs Install and configure an on-premises data gateway describes how to install on-premise data gateway on the VM, but if you are like me and use personal account for azure, you will have issues binding your account to the gateway. The solution as hinted here is to create a new account in Azure Active Directory (I created a new user and registered it under my azure custom domain, so the login looked like XXX#zzz.onmicrosoft.com). I gave the user admin role, so as to temporarily avoid any azure permission setbacks. Next I added the user to my subscription via Subscriptions -> "My_subscription" -> Access Control (IAM) and assigned an owner role to the AD user.
Now back on my VM I could bind the new user's account to the gateway (don't forget to change the gateway's region to your preferred region before finishing the setup).
Next, on Azure I created an "on-premise data gateway" service (do note you need to select same region as the one which your VM gateway is located under). I am not sure now, if only the new AD user I created could see the gateway, so in case you do not see it, try the AD user as well.
Last but not least, in the Azure Analytics services I went to the "on-premises data gateway" settings and set it to use the one I just created.
With this I was able to create the model and query the data from database.
Note:
In the model web designed for analytics services I happened to be logged in under the AD user, not under my personal account. Attempting to change the account to my personal one ended up in login failure, however after a few such attempts and opening multiple web designers in separated tabs, I correctly logged in under my personal account. After a while I could no longer replicate the issue.
I guess the issue may have been that I was logged in to Azure under both my personal account and the AD user at the same time in same browser when setting eveything up.