Azure AD Application Proxy - azure-active-directory

I have a number of VMs under one domain. I am setting up kerberos and a part of it is installing the Azure AD App Proxy connector. I have installed the connector in one of the servers but the application that I published is in a different server. Would this still work or I need to install the connector to the specific server where the published application is?

The connectors must be installed on a Windows Server that has access to the backend application
Install the connector on a machine running Windows Server 2012 R2 or later. The connector needs to communicate with the Application Proxy service and the on-premises applications that you publish.
The windows server needs to have TLS 1.2 enabled before you install the Application Proxy connector
If you are installing the connector on Windows Server 2019, you must disable HTTP2 protocol support in the WinHttp component for Kerberos Constrained Delegation to properly work. This is disabled by default in earlier versions of supported operating systems.
You may refer this for more information https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-connectors

Related

How to use azure sql db managed identity authentication for local development and on external tomcat (for deployment)?

I have a spring boot application connected to azure sql db using sql authentication (user/pass). It's working fine on local development and when the .war is deployed to external tomcat because the application is to be used on a linux environment.
I'm trying to use managed identity for authentication and came upon this link.
I tried to implement it on my spring boot application but I'm getting this error:
"Windows logins are not supported in this version of sql server."
Also can this be used if I am not using azure cloud? As I mentioned earlier the application is being deployed in a linux server on tomcat.
As mentioned in the comment, MSI(managed identity) just works in the azure services that support MSI(need enable MSI first), when using MSI to auth, it essentially makes an API call to the azure instance metadata endpoint to get the access token, then use the token to auth, it is just available in the MSI-supported service. So in conclusion, you could not use this feature if you are not using azure cloud.

Unable to connect SQL Server db in Windows platform from open shift container platform

We hosted a .Net core 2.2 API in Red Hat Open shift container platform. API is using Entity Framework connecting to a SQL Server db on Windows Server, but both the container platform, SQL Server are on the same domain.
Now the API is unable to establish connection with the SQL server db. We tried with SQL Auth, but still the API hosted on container pod is trying to establish sql connection using kerberos, which has following issue.
System.Data.SqlClient.SqlException: Cannot authenticate using Kerberos. Ensure Kerberos has been initialized on the client with 'kinit' and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.
Need some inputs on What are the additional setup, configurations required to connect SQL Server from open shift container platform ?
Right now there are no environment variables, config maps, additional drivers for SQL configured in the open shift container platform.
The problem with mine was the connection string. I had to remove "Trusted_Connection=true"

Using Power Desktop with an Azure VM and Enterprise Gateway

I am developing a report in PowerBI Desktop based on data hosted in an Azure SQL Server VM.
When publishing a report, I get the below error:
Publishing succeeded, but the published report cannot connect to the
data source because we were unable to find a gateway. Please install
and configure an enterprise gateway
I believe this is because the enterprise gateway is installed locally on my azure VM, however I'm accessing it from my desktop by going over the web and through the firewall. Therefore I believe the issue is that my pc acceses the machine at
mymachine.cloudapp.net
Whilst the enterprise gateway knows the machine as
netbios-name
Is there any way that I can upload a desktop report to powerBI web using this configuration? The other solution would be to get the machine and sql server to identify itself as "mymachine.cloudapp.net" so that I can use this as the name to connect to through the enterprise gateway, but I'm not sure how to do that (adding the alias to SQL Server isn't enough).
It's a bit hacky, but I've got a work around.
Open the server and edit your hosts file and add the following line:
127.0.0.1 mymachine.cloudapp.net
Make sure that mymachine.cloudapp.net has been configured in SQL Server as an alias.
In PowerBI, add a new enterprise gateway data source, this time, use mymachine.cloudapp.net to connect rather than netbios-name. You will need to use SQL Authentication to connect.
Obviously connecting PowerBI to an Azure VM in this way is not ideal, as it could potentially be unencrypted, but this works around the issue of different host names between PowerBI Desktop and Web.

SQL Server distributed login with windows authentication

I am new to SQL Server, I am planning to build a distributed application in Java for SQL Server. I am curious to know that if there is a way to handle the following scenarios:
UserA logs in on MachineA and chooses Windows authentication as credentials in app. My application's 2nd component is on MachineB (components communicate using RESTful web services) and MachineB has SQL Server installed on it. MachineB has the code to connect to SQL Server.
I want to know what are the steps to make this happen, is it possible to use windows authentication here?
UserA logs in on MachineA and uses Windows authentication, code to connect is on MachineB and SQL Server is on MachineC. What are the required steps here to make this happen, connection string and if I need to make any domain etc.
Assuming all machines are on the same DOMAIN, yes it will work. You may need to configure Kerberos (SetSPN) to make sure the service is trusted. You should check Microsoft® Kerberos Configuration Manager for SQL Server® from Microsoft. If Java is used from a Web site, you will also need to configure a SPN for this service as well. When it's all configured, To connect using Java, your ConnectionString should look like this:
jdbc:sqlserver://localhost;databaseName=AdventureWorks;integratedSecurity=true;
Hope it help.

Analysis Services database works with ASP.NET Development Server but NOT IIS

I have an ASP.NET application which needs to connect to Analysis Services database.
All components are on the same machine:
Web application
IIS
Visual Studio 2008
SQL Server 2008
My domain account (DOMAINNAME\MyWindowsUsername) is an administrator on the SQL Server and also in "Administrators" group on the local machine.
Web application uses Windows Authentication and identity impersonate="true".
My IIS Windows Authentication settings (I have also tried other combinations but no success...):
Extended Protection: Off
Enable Kernel-mode authentication: true
Enables Providers: NTLM
When I use web application on ASP.NET Development Server (deployed from Visual Studio) then everything works ok. My domain account and corresponding database roles are recognized correctly, and security is working as defined in database roles.
But, when I deploy the same web application (without any changes in code) to IIS I get error (in browser):
An error was encountered in the transport layer.
The peer prematurely closed the connection.
In SQL Profiler (for IIS case when connection fails) I get only these two events:
Audit Login MyWindowsUsername DOMAINNAME
Audit Logout MyWindowsUsername DOMAINNAME
It seems Analysis Services recognizes the impersonated account, but still the connection breaks.
I have noticed that ASP.NET Development Server runs under DOMAINNAME\MyWindowsUsername while IIS under LocalSystem (the default setting). I tried to play with the accounts, adding various system/network account as Analyis Services administrators (just to understand the logic behind this), but also with no success (always the same error).
You must use delegation to pass on the user credential from the web browser to SSAS,
http://msdn.microsoft.com/en-us/library/ff647404.aspx
ASP.NET Development Server simply runs under your log on account, which prevents you from noticing this issue earlier.

Resources