I'm trying to store connection string of SQL Server in Azure keyvault and use the same secret in linked service of Azure datafactory.
I'm trying to specify the name of the Azure Key Vault secret that stores the destined Azure SQL Database linked service's connection string
Server=tcp:<servername>.database.windows.net,3342;Database=<databasename>;User ID=<username>#<servername>;Password=<password>;Trusted_Connection=False;Encrypt=True;Connection Timeout=30
But I am facing the below error:
Cannot connect to SQL Database: 'tcp:xxxx.database.windows.net,3342', Database: 'databasename', User: 'username#servername'. Check the linked service configuration is correct, and make sure the SQL Database firewall allows the integration runtime to access. Login failed for user 'username#servername'., SqlErrorNumber=18456,Class=14,State=1, Activity ID: 20aa7503-3b71-4539-a658-a2b5be87278f.
How can I create and use a connection string in ADF linked service using AKV?
It seems to be an issue with SQL server firewall blocking Azure Integration Runtime IP address. Please go to the SQL server in Portal - > Firewalls and virtual networks option under Security and enable Allow Azure Services and resources to access this server.
To know the IP address that needs to be add in the Firewall Rules, just run any SQL query in the database and the error message will occur asking to whitelist the IP. Either click on that error message or add the IP manually in the Rule name under Firewall.
Apart from that you need to add the database connection string in the Key Vault Secret Value and then add the secret name in the ADF SQL database linked service and check the connection(add database password in the connection string before pasting in Secret's Value). Give the read rights (GET and List) to the secret in the access policies.
Create a ADF Linked Service of the Key Vault you have created previously and check the connection.
Using that Key Vault Linked Service, create the SQL Database linked service and check for connection.
Refer to the link for step-by-step implementation to connect the SQL Database in ADF using Azure Key Vault.
Related
I have stored SQL server credentials(like username, password) in the secrets of azure keyvault.
For this, I have created keyvault connector(Get secrets) and SQL server connector(Execute query).
But as per requirement I need to add the dynamic SQL server connector who will fetch the SQL server credentials from secrets and try to login.
So is there any way to make SQL server connector dynamic.
No, this is not possible. Azure stores the service (in this case a SQL database) credentials and connection information in an API Connection resource and this is currently the only way that these actions can work.
As an alternative, you could use Azure Functions to connect to the database, which have many of the same triggering patterns available and allow you to write any code you need (within reason) to acquire secrets through whatever mechanism is most suitable.
I have a SQL Azure instance and an associated user.
The password of this user is stored as a Secret in Azure Key Vault.
Now, I have to hand over the connection string to this database to the Reports team for them to generate reports out of the database.
How can I hand this off so that the credentials are secure & the connection string does not actually store the password in a clear text format ?
One option is to use Azure AD Auth for your SQL instance. Then you can create specific user accounts for the BI team.
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication
In Azure Server/Database firewall we can set the IP from which connections to the SQL Server can be made. However if I set any IP address eg. 101.202.203.204, then all users of the database can connect through that IP.
There is one user which is used by the application. I do not want anyone to connect to the production database using this username. This connection should only be permissible from the VM hosting the application in Azure.
In SQL Server there is a feature named Logon trigger wherein I can determine the username and the IP address from where the connection is being made and accordingly refuse if the connection request is invalid. This feature would have been helpful, however this feature is not available in the Azure SQL Server which I am using as a service.
Thanks in advance.
I'm not sure that this is the best way to secure a SQL Server/SQL Azure database, but technically you can do this using a login trigger where you check the user name and the IP address in the trigger. There's an example in the docs for triggers here that is basically what you are requesting (checks the login name). You'd just need to join with sys.dm_exec_connections and validate that the IP address is what you wanted.
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-trigger-transact-sql?view=sql-server-2017
I created a SQL Server instance on Amazon web services. I can remote into it ok.
I created a new login ID and password through the management app, but when I try to connect with the data source administrator in windows I am getting a login failed error. I have tried this several times so I am sure I am not putting the wrong password in.
I have another sql server set up that I can create a login ID and connect to fine.
Any suggestions on what to try?
A couple of things to check:
Have you opened up port 1433 (or your custom TCP port if you specified one) in the security group associated with your EC2 instance (I assume it's EC2 since you said you can remote in)?
Have you created both a SQL Server login and a database user? SQL Server requires two objects for a login: A server login object and a database user object. See more details here: https://msdn.microsoft.com/en-us/library/aa337545(v=sql.105).aspx.
Our custom SharePoint site uses a standard connection string (in web.config) to a remote sql server using a sql server authentication. I need to know if it is possible to change this connection to use a SharePoint service account instead of a sql server account. If so, how do specify the service account in the connection string and how do you create a login and user for an sp service account when that user does not exist on the sql server machine and nor is it available on Active Directory.
Update:
I think I need to use integrated security in the connection string and run db calls within SPSecurity.RunWithElevatedPrivileges block. If i use this as a delegate, what sp account will the code be executed under and how do i assign a sql server login to a sharepoint account on a remote machine. Any links to sample code or articles explaining this process would be helpful.
Thanks.
From the SQL Server side, you should create a domain account for Sharepoint in AD. Then you log in to SQL Server via Management Studio (SQL2005 or later), on the left hand side click on security tab, and add a new login - you'll enter the domain Sharepoint service account, and give it the relevant permissions to the databases it needs to access.
For the Sharepoint side, you probably can edit web.config but there must be a Sharepoint admin tool to take care of this properly.