Our Snowflake environment integration is enabled with Federated authentication using OKTA.
We are able to connect to Snowflake from Python using the below parameters. Whereas from the Node.js server, we don't see an option to pass the authenticator option.
accountname = xxxxx.west-us-2.azure
region = west-us-2.azure
username = yyy_xxxx_rrrr
password = "sdsdsdsdsds"
dbname = SAMPLE_DB
schemaname = STT
rolename = GBB_CREATE
warehousename = GBB_COMPUTE1
proxy_host = proxy.****.com
proxy_port = 80
**authenticator = "https://XXXXX.okta.com/"**
https://docs.snowflake.com/en/user-guide/nodejs-driver-use.html
SSO authentication is not supported for NodeJS driver, only for SnowSQL, Python connector, JDBC and ODBC drivers. For more information have a look here:
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-use.html#using-sso-with-client-applications-that-connect-to-snowflake
Related
A few months ago we switched from using on on-prem AD to using Azure AD with ADDS service.
Ever since then we are having a problem with our pfSense machine. It is configured to Authenticate through LDAP but sometimes loses connection randomly. When this happens our users can't log in and can't use the company openVPN.
Our error messages on pfSense look like this:
/openvpn.auth-user.php: ERROR! Could not bind to LDAP server Azure AD. Please check the bind credentials.
We don't see error messages on Azure side.
Did anyone have a similar experience?
We use:
pfSense 2.4.4
Azure AD Domain Services - Standard SKU
Your configurations in pfsense LDAP server settings should be as follows: -
• Hostname or IP Address = or
• Port value = 389(636 if SSL/TLS)
• Transport = TCP - Standard
• Peer Cert Authority = No CA Identified
• Protocol Version = 3
• Server Timeout = 25
• Search Scope = Entire Subtree
• Base DN = Nothing here
• Auth Containers = (CN=Users,DC=my,DC=domain,DC=com)
• Extended Query = true
Query = memberOf=CN=<AD security group>,CN=Users,dc=<my>,dc=<domain>,dc=<com>
• Bind Anonymous = false
• Bind Credentials = (domain\user + password)
• User naming attribute = samAccountName
• Group naming attribute = cn
• Group member attribute = memberOf
• RCF 2307 Groups = false
• Group Object Class = posixGroup
• UTF8 Encode = false
• Username Alterations = false
Please check your configuration once and follow the below links for more clarification on configuring your Pfsense with Azure AD: -
https://docs.netgate.com/pfsense/en/latest/troubleshooting/authentication.html
https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps
Thanking you,
*** Apologies folks - I appended wrong code ---now replaced below here
I have a simple Visual Studio .NET web forms app. I run it on my Azure VM called dexram (Windows 10) and I also created a SQL Server on the Azure VM. There is a user on the VM called 5001211 that has admin authority in Windows. It can use SSMS to access the database no problems.
All my connection string attempts fail in the C# code. This is strange as the VS web app and the SQL Server are both running on the Azure VM.
Here are the strings I tried and the messages I got underneath:
string Server = "Data Source = dexram; Initial Catalog = FruitNVeg; User ID=5001211;Password=Fitsh3ly;";
This connection string throws an error:
Login failed for user '5001211'
string Server = "Data Source = tcp:dexram,1433; Database = FruitNVeg; User ID = 5001211#dexram; Password = Fitsh3ly; Trusted_Connection = False; Encrypt = True;";
The certificate chain was issued by an authority that is not trusted
string Server = "Data Source = tcp:dexram,1433; Authentication = Active Directory Integrated; Database = FruitNVeg;";
The certificate chain was issued by an authority that is not trusted
string Server = "Data Source = tcp:dexram,1433; Authentication = Active Directory Password; Database = FruitNVeg; UID=5001211#dexram;PWD=Fitsh3ly;";
The certificate chain was issued by an authority that is not trusted
Thanks Dan - no luck - I created as per your suggestion and made 5001211 sysadmin and got following results:
string Server = "Data Source = dexram; Initial Catalog = FruitNVeg; User ID=5001211;Password=Fitsh3ly;";
Gives -- > Login failed for user '5001211'
string Server = "Data Source = tcp:dexram,1433; Database = FruitNVeg; User ID = 5001211#dexram; Password = Fitsh3ly; Trusted_Connection = True; Encrypt = True;";
Gives -- > The certificate chain was issued by an authority that is not trusted
I am thinking I need to get a cert. created as I think (?) my SQL calls from my VS app are going out over the internet (even though the 2 tools (VS and SQL Svr) are on the same VM machine) ?
you must first create a user in sql server after use from string format below
Data Source=instanse name or use .;Initial Catalog=database bame;User ID=created user in sql server;Password=your password
and do setting below for user
User dexram\5001211 is a Windows account. Your app connection string specifies a SQL login named 5001211. You need to create a SQL login named 5001211 and an associated database user:
USE FruitNVeg;
CREATE LOGIN [5001211] WITH PASSWORD = 'Fitsh3ly';
CREATE USER [5001211];
The user will also need permissions on the objects the application uses in the FruitNVeg database. Although you could add the login to a privileged role like sysadmin to avoid granting these permissions, the best practice is to use a minimally privileged account for routine application database access that has only the required permissions:
USE FruitNVeg;
GRANT SELECT ON dbo.Apples TO [5001211];
As per this URL --> https://blog.greglow.com/2020/01/16/sql-sql-server-the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted/
I used the sql config manager and set "Trust Server Cert" to yes and that fixed the problem it seems
Is it possible to add an user as active directory admin for an azure sql server using terraform?
https://learn.microsoft.com/pt-br/azure/sql-database/sql-database-aad-authentication
I need this to be enable users to authenticate through their company logins to a sql server created using Terraform.
I've found this question:
Add azure SQL user with terraform
But it is not what I need, it creates a new user for a login. Terraform docs regarding azure do not document this action.
https://www.terraform.io/docs/providers/azurerm/r/sql_server.html
Please reference this link: Active Directory Admin for azurerm_sql_server:
Support for configuring Azure Active Directory Administrators for a SQL Server Database can be found in the azurerm_sql_active_directory_administrator resource.
azurerm_sql_active_directory_administrator:
Allows you to set a user or group as the AD administrator for an Azure SQL server.
Example useage:
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "acceptanceTestResourceGroup1"
location = "West US"
}
resource "azurerm_sql_server" "example" {
name = "mysqlserver"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
version = "12.0"
administrator_login = "4dm1n157r470r"
administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}
resource "azurerm_sql_active_directory_administrator" "example" {
server_name = "${azurerm_sql_server.example.name}"
resource_group_name = "${azurerm_resource_group.example.name}"
login = "sqladmin"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.object_id}"
}
Hope this helps.
We have a SSIS package which accesses database columns which are encrypted using Always Encrypted.
This does not work when triggering the SSIS package through a SQL job using a proxy user.
Failed to decrypt a column encryption key using key store provider 'mssql_certificate_store'
We have tried logging in to the server as the domain user and triggering the SSIS package manually and we don't receive this error. So it seems that there is some issue accessing the certs when a proxy user is activating the ssis package.
Code for the setup of the proxy user:
CREATE CREDENTIAL [SSIS Credential]
WITH IDENTITY = N'DOMAIN\service_ssis_user', SECRET = N'DomainPassword'
IF NOT EXISTS (SELECT name FROM sysproxies WHERE name = 'SSIS Package')
BEGIN
EXEC msdb.dbo.sp_add_proxy
#proxy_name = N'SSIS Package',
#credential_name = N'SSIS Credential', #enabled = 1
EXEC msdb.dbo.sp_grant_proxy_to_subsystem
#proxy_name = N'SSIS Package', #subsystem_id = 11
EXEC msdb.dbo.sp_grant_login_to_proxy
#proxy_name = N'SSIS Package',
#login_name = N'DOMAIN\service_ssis_user'
END
GO
The aim is to get the SSIS package running as the domain user and able to access the certificates associated with this user
Update:
The proxy user does not "login" as the user that I have created credentials for, it simply uses the security context of the user to run the command. So it does not load their windows user profile which would happen when logging in directly as the Domain User. And therefor the certs are not accessible when running via proxy. I dont know how to get around this issue however.
Windows user profile is not Loaded when a proxy account is used. As a result the certificates associated with the user are not accessible when running via proxy.
I have Azure B2C setup using OpenID Connect. I also have a local SQL Server database. I know that the id_token (Jtw token) can contain the logged-in user's email, so my question is how do I get the user's email from the id_token and use it to run queries?
From within an ASP.NET Core application, you can do the following:
var user = HttpContext.User;
var emailsClaim = user.FindFirst("emails");
var emails = JArray.Parse(emailsClaim);
var firstEmail = emails[0].value;
//firstEmail == “bob#gmail.com” based up the sample token
Sample Token