I have a C# dotnet core 3.1 Azure Function App (named func-utrngen-dev-001) that I'd like to configure to authenticate to a Sql Azure database via managed identity.
Steps Taken:
Created the AAD admin for sql server account
Used that account to open a connection to the sql server
Ran the following to created a "contained user" of the same name as the azure function app
CREATE USER [func-utrngen-dev-001] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [func-utrngen-dev-001]
ALTER ROLE db_datawriter ADD MEMBER [func-utrngen-dev-001]
Ensured that "Allow Azure services and resources to access this server" is set to "Yes" from the Azure Portal under the Sql Server\Security\Firewalls and virtual networks blas
Ensured that System assigned\Status is set to "On" on the function app's Identity blade
When the function app attempts to authenticate, I get the following error:
Login failed for user '<token-identified principal>'
So I installed Microsoft's "MSI Validator" tool and ran through the steps described here.
I ran the following from the Powershell window of a Kudu session:
./msi-validator.exe test-connection -r sql -e "Data Source=sql-utrngen-dev-001.database.windows.net;Initial Catalog=utrngen;"
It successfully obtained a token but then failed with the same error as my function app:
Unable to connect to SQL. Exception : Login failed for user
'<token-identified principal>'
I ran select * FROM sys.fn_get_audit_file(path to tsql audit blob) but the results only showed activity from my account logged into SSMS
What should I try next?
The fix was to give the correct name for the database 🤦♂️. More haste less speed
Related
I have successfully created the Self Hosted Integration Runtime and it is showing up and running in ADF as well.
However when I try to create a linked service to connect to SQL database on the on prem system - I am getting the below error:
Cannot connect to SQL Database: '(localdb)\mssqllocaldb', Database: 'XXXX', User: 'XXXXX'.
Check the linked service configuration is correct, and make sure the SQL Database firewall allows the integration runtime to access.
Cannot open database "XXXX" requested by the login. The login failed.
Login failed for user 'NT SERVICE\DIAHostService'., SqlErrorNumber=4060,Class=11,State=1..
The login failed. Login failed for user 'NT SERVICE\DIAHostService'.
This is not a firewall error this is an authentication error.
You have not granted that windows user account NT SERVICE\DIAHostService access to your database.
This issue is identical to this one, which has instructions on how to solve:
Login failed for user 'IIS APPPOOL\ASP.NET v4.0'
To select data from a table in SQL Server you need three things set up:
Network connectivity (this is fine for you, otherwise you'd get a network error)
The user account granted connect access to the server / db (this is what the error is complaining about - you need to do this)
The user account granted sufficient access to select from the table (you also need to do this)
Please do the below :
Allow outbound TCP communication on port 1433 for both the Windows firewall [
Windows-firewall-setup ] and the corporate firewall [ Ports-and-firewalls ]
Configure the firewall settings of the SQL Database to add the IP address of the self-hosted integration runtime machine to the list of allowed IP addresses.
SHIR setup reference
I am trying to deploy a dacpac to a database in Azure SQL server using a release pipeline in azure devops. I was able to deploy a dacpac to one database successfully by adding Azure Object Name as db_owner of that database.
I repeated the same step for a different dacpac, but I am getting an error saying the access failed.
2022-04-06T21:54:52.4823080Z Initializing deployment (Start)
2022-04-06T21:55:49.0595299Z Initializing deployment (Failed)
2022-04-06T21:55:49.0721494Z Time elapsed 0:00:57.89
2022-04-06T21:55:49.2784337Z ##[error]*** An error occurred during deployment plan generation. Deployment cannot continue.
2022-04-06T21:55:49.2883974Z ##[error]Login failed for user '<token-identified principal>'.
using service principal as authentication (using SPN of service connection for the service principal)
DB server : xyz
DB databases : xyz.a xyz.b
a is successful, but b fails on same release pipeline.
it seems like access token was successfully grabbed in the script.
Some dacpac deployments were successful because the dacpacs had permissions that were included in the SG which was set as the AAD Admin of the SQL servers.
The dacpacs which had permissions which were not included in the AAD Admin SG were failing. The solution was to drop the permission objects using the sqlpackage.exe flag:
/p:ExcludeObjectTypes=Users;ServerRoleMembership;ServerRoles;DatabaseRoles;RoleMembership;Users;Permissions
I have created an azure SQL Database ,and trying to create a linked service with this database, but failed with managed identity authentication type.
error messages:
Cannot connect to SQL Database: 'alexwang.database.windows.net', Database: 'alexSQLDatabase', User: ''. Check the linked service configuration is correct, and make sure the SQL Database firewall allows the integration runtime to access. Login failed for user ''., SqlErrorNumber=18456,Class=14,State=1, Activity ID: f94c1640-731c-48e4-b423-f05a80e6043d.
You need to login Azure SQL with an AAD administrator and create a EXTERNAL PROVIDER user. I've created a test for this.
Set an AAD administrator to your Azure sql.
Login to your Azure sql with the AAD administrator.
Create a EXTERNAL PROVIDER User with your Azure datafactory name.
CREATE USER [your Data Factory name] FROM EXTERNAL PROVIDER;
ALTER ROLE [role name] ADD MEMBER [your Data Factory name];
Test connection successfully:
I am trying to publish Azure SQL database using Azure SQL Dacpack task in Azure pipelines within an agent job. The authentication type I am using to publish is Service Principal.
I have added service principal as a contained DB user in the Azure SQL database and have given db owner permissions to service principal. When Service principal is a member of Active Directory Admin of Azure SQL Server, the deployment works fine. But , when Service principal is not a member of Active Directory Admin of Azure SQL Server , the deployment fails.
The error that I get is:
Unable to connect to target server . Please verify the connection information such as the server name, login credentials, and firewall rules for the target server. + Login failed for user '< token-identified principal>'. The Azure SQL DACPAC task failed. SqlPackage.exe exited with code 1.
Security team in my organization is not allowing me to have SP as Active Directory Admin of Azure SQL Server.
Azure SQL database only allow server admin/AD admin account to restore/backup the database. That's the permission limit and we can't change it.
Like you said, only if the service principal is a member of Active Directory Admin of Azure SQL Server, the account has the permission restore the database from .BACPAC file.
HTH.
I am trying to enable Active Directory access for an Azure SQL Database. But I ran in a bit of a chicken-egg problem:
On the properties tab of my SQL database, The Active Directory admin shows an AD user group I am a member of
I cannot login. If I try to connect to my database using this AD-user, either via the Query editor (preview) tab or through SSMS, I get "Login failed for user ''."
If I login using the Server admin login or through a SQL account, I can login, but I cannot execute CREATE USER myname FROM EXTERNAL PROVIDER. It returns "Only connections established with Active Directory accounts can create other Active Directory users"
How did I create this mess?
On Azure, I already had a SQL Server with a SQL database. I can login onto that server using my Active Directory account. I had a local database, and in SSMS I selected "Deploy database to Microsoft Azue SQL database..." and selected my existing SQL Server.
As I understand it, AAD needs to know the SQL server, not each individual SQL database. If I do a Point In Time restore of my main database, I can also access this database with my AAD-account. But of course, this database already contains the active directory user group.
So Azure thinks I can logon to the database with my AAD-account,
but the database itself does not know any AAD accounts.
And I can only create AAD accounts in the database when logged in with an AAD-account.
How do I create an Active Directory Account within my database without being logged on with an Active Directory Account?
How do I create an Active Directory Account within my database without being logged on with an Active Directory Account?
No, we can't. In Azure SQL database, you need to first to configure the Azure AD admin for the SQL Server, then login the database with AAD admin account to create the AAD user.
I think you have configured it. As you said you can login with you AAD-account. That's the Azure AD admin account. It has the permission to access all the database.
Important:
To create contained users mapped to Azure AD identities, you must be
logged in using an Azure AD account that is an administrator in the
database in Azure SQL Database. In SQL Managed Instance, a SQL login
with sysadmin permissions can also create an Azure AD login or user.
Ref here: Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics