AWS glue NTLM authentication - sql-server

I'm trying to connect a on-prem sqlserver from AWS Glue using NTLM authentication, To do that I need to add following arguments to the connection url
integratedSecurity=true;authenticationScheme=NTLM
But when I add them, glue thows error saying the URL is invalid.
Any insights on how to resolve this would be great.

Related

How does SqlClient gets 'scope' of Azure SQL Server when using Azure Active Directory as authentication method?

As I understand that for getting selective authorization for a protected resource using Azure AD based OAuth 2.0 mechanism, client application need to mandatorily provide the scope URL for getting access token.
Other parameters usually include client ID, client secret (in case of Service Principal auth flow), Azure AD username and password, etc.
SqlClient has integrated Azure AD OAuth mechanism with SqlClient for authorizing a database connection.
So, I guess SqlClient also need these parameters for establishing an connection to Azure SQL server using Azure Active Directory authentication method.
But I don't see that it accepts any scope from the client application.
How does SqlClient gets scope for a particular Azure SQL server instance? I see that it gets something as Federated Authentication Info from server but I don't understand it completely.
The scope required for SQL Servder Authentication access tokens is https://database.windows.net/.default which stands for default scopes/permissions for https://database.windows.net/ resource.
Once an access token is obtained you pass it trough the SqlConnection.AccessToken property.

Is it possible to connect to snowflake in Azure Databricks using Oauth token from an existing Service Principal?

I am trying to connect to Snowflake in Databricks using an Azure access token generated from an existing Service Principal (not using the documentation's method to create one as I don't have the permissions to). Currently I am receiving the error "Invalid OAuth access token".
I believe the solution is I need snowflake to grant access to the service principal, however not sure how to do this or if it is even possible?
According to this Snowflake document, programmatic SSO with Federated Authentication (like you would need in a Databricks notebook) is only available for the Okta identity provider - even though Microsoft Azure Active Directory is among their supported Identity Providers

JDBC using Azure Active Directory credentials

I'm getting wrong username or password when trying to make a JDBC connection to snowflake. I believe the culprit is that there is an Azure Active Directory layer between the connection. Is there a specific way I should be handling making this connection while using the azure credentials from my Java app through Azure Active Directory to Snowflake? Thanks in advance!
In your JDBC connection parameters, you need to set the authenticator parameter to externalbrowser or possibly depending on the setup oauth with a setting for the oauth token parameter.
You can read more about OAuth here, https://docs.snowflake.com/en/user-guide/oauth-custom.html
The section specific to OAuth on JDBC on that page is here, https://docs.snowflake.com/en/user-guide/jdbc-configure.html#label-jdbc-connection-parameters. Scroll down from that bookmark on the page to the authenticator parameter section.

PowerBI + Snowflake (AWS privateLink): 'SSL peer certificate or SSH remote key was not OK'

PowerBI: Version: 2.86.727.0 64-bit (October 2020)
ODBC Connector: PowerBI's integrated Snowflake ODBC connector (out of the box one)
Snowflake: .southeast-2.privatelink.snowflakecomputing.com
Authentication: OAuth2.0 integration with AAD
Error Message while connecting from PowerBI:
Details: "ODBC: ERROR [HY000] [Microsoft][Snowflake] (4)
REST request for URL https://bhp_dev.ap-southeast-2.privatelink.snowflakecomputing.com:443/session/v1/login-request?requestId=6100abf5-7441-4dc8-8b86-35f44ca0e94c&request_guid=257da304-137e-4e39-95b0-edfff416fb0d&warehouse=COST_MONITOR
failed: CURLerror (curl_easy_perform() failed) - code=60 msg='SSL peer certificate or SSH remote key was not OK' osCode=9 osMsg='Bad file descriptor'
Snowflake setup:
created a security integration to enable SSO as per the doco link
created a network policy to include the PowerBI and PowerQueryEditor network addresses
assigned the network policy to a user
PowerBI setup:
nothing special.
The SSO works ok when the Snowflake is not using private links.
Any ideas would be greatly appreciated.
Currently, the Snowflake Power BI SSO feature has the following limitations:
AWS PrivateLink and Azure Private Link are not supported. If it is necessary to use either of these two services to connect to Snowflake, use the on-premises gateway to connect. This pathway will not provide single sign-on.
https://docs.snowflake.com/en/user-guide/oauth-powerbi.html#limitations

Explanation of IdentityServer4 logout spec

We are using IdentityServer4. We have a Windows 2016 server running ADFS (Active Directory Federation Services) version 4.0. This version of ADFS has OpenID Connect endpoints to do active directory authentication. We set this up as an external oidc provider in IdentityServer4. The authentication works fine. What I'm having an issue with is the logout. The current logout correctly disposes of the identity server and client cookies, but doesn't log the user out of the external provider (ADFS). I upgraded the ADFS server so the metadata endpoint exposes end_session_endpoint, frontchannel_logout_supported, and frontchannel_logout_session_supported properties.
What is the proper way to have our identityserver4 implementation also ask the external provider to perform a logout when it does? I'm a little confused by the spec.
http://docs.identityserver.io/en/release/topics/signout_external_providers.html
http://docs.identityserver.io/en/release/topics/signout.html#refsignout
I'm not sure if the front-channel or back-channel is what I should be looking at in this scenario or if this is even related. The spec also mentions a idp value at authentication time that would indicate to the identity server that a external provider needs a logout as well. Is this what I should be looking at? Little lost. Looking for guidance. Thanks!

Resources