we are trying to connect to azure postgres DB using AD & followed the instructions provided in the below documentation url https://learn.microsoft.com/en-us/azure/postgresql/howto-configure-sign-in-aad-authentication
Getting below error while connecting to postgres DB. I Manually validated the object id & tenant id of the user & tenant id of token we got using this "az account get-access-token --resource https://ossrdbms-aad.database.windows.net" command. both seems fine. still getting below error.
Azure AD access token not valid for role xxxxx#tenant.onmicrosoft.com (oid or appid claim does not match 9d8b7b0a-9139-4c86-a5f1-ed39134b8699)
HINT: Did you specify the correct user name and access token?
Related
We are trying to connect to Synapse from Tableau via AAD authentication, but getting the following error (screenshot) despite I am the AAD owner and I have the owner permission in database. Is there any configuration we need to do in AAD etc?. any pointers would be really helpful.
Enter the correct details as below:
You can get server name from properties od synapse workspace as below just copy and paste them in a connection window:
make sure your AAD admin set on your workspace:
connected successfully
I am unable to do secure ldap search, to an azure ad instance
requirement: do ldapsearch over internet using ldaps protocol, and get info from Azure ad
my setup
azure in eval mode - domain name is the default option presented during creation, eg devopoutlook.onmicrosoft.com
created azure ad domain service - domain here is of the format xyz.abc.com (not a routable DNS)
Secure LDAP enabled with self signed certificate
added rules for incoming ldaps requests, noted down the public ip
created a user account, added to global administrator / AAD DC Administrators
reset the user's password - verified login works through portal.azure.com
when i attempt a ldapsearch to the public ip from my computer i see the below error
LDAPTLS_REQCERT=never ldapsearch -x -D "userx#devopoutlook.onmicrosoft.com" -W -H ldaps://x.x.x.x:636 -b "dc=devopoutlook,dc=onmicrosoft,dc=com"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
packet capture shows an encrypted alert from client to server, after client handshake is done, hence i dont think its a cert related issue, i am unable to figure out if its a password issue, i am sure the password is correct
the user account is a cloud only account, so password hash sync should have happened after password reset (i have reset multiple times)
I have also done the same experiment with a onprem ad user, synced via AD connect. that gives the same error
Are there any steps i am missing, or am i expecting something that wouldn't work, please help
LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
On Workaround try with these
1) As you mentioned you using the Cloud only account
Cloud only account on an AAD tenant, you need to change the password on the account on the cloud account and wait ~30 minutes or so for the password to replicate before you can bind on AAD DS. change the password for that user before you can authenticate with LDAP. That is because AAD will not create the password hashes (it needs for NTLM and Kerberos authentication for LDAP) automatically for cloud-only users - but it creates them the next time the password is changed.
This topic is covered in the following article: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
2) The DN name for the user should be similar to how they are named in local Active directory
For example if I have named my AAD domain services instance domain as contoso.com , then the Domain container values for DN attribute would correspond to that just as in Local AD . Generally all the synced users to AAD domain services go to the container "AADDC Users" within Domain services instance so for a user in domain services it will be
CN=<firstName lastName>,OU=AADDC Users,DC=Contoso,DC=com
For more details refer this document:
3) Above error Returns when username is valid but password/credential is invalid.
Please verify that your given password is correct or not.
Reference:
For more details refer this document: Tutorial - Configure LDAPS for Azure Active Directory Domain Services | Microsoft Docs
deleting the AADDS and redeploying as user forest did the trick from what i understand, resource forest => there is no sync of user id between AAD and AADDS
I am trying to connect to Snowflake in Databricks using an Azure access token generated from an existing Service Principal (not using the documentation's method to create one as I don't have the permissions to). Currently I am receiving the error "Invalid OAuth access token".
I believe the solution is I need snowflake to grant access to the service principal, however not sure how to do this or if it is even possible?
According to this Snowflake document, programmatic SSO with Federated Authentication (like you would need in a Databricks notebook) is only available for the Okta identity provider - even though Microsoft Azure Active Directory is among their supported Identity Providers
I am simply trying to follow the steps here so that I can query an Azure Analysis Services model from C#. But in SQL Server Management Studio I fail to connect to the server when using "Active Directory - Password" authentication, getting error message "Unable to obtain authentication token using the credentials provided..."
I tried using the username displayed in Analysis Services Admins that looks like this: john.doe_outlook.com#EXT##johndoeoutlook.onmicrosoft.com
and the outlook e-mail address associated with the Azure account which is of this form john.doe#outlook.com.
The password I used is also my Microsoft account password. From researching, it is never made clear to me at all what password I should be typing in, where do I get it from? Or what exactly do I need to do here so that I can successfully connect?
Both usernames I tried result in this message:
Unable to obtain authentication token using the credentials provided. If your Active Directory tenant administrator has configured Multi-Factor Authentication or if your account is a Microsoft Account, please remove the user name and password from the connection string, and then retry. You should then be prompted to enter your credentials. (Microsoft.AnalysisServices.AdomdClient)
If I enter john.doe_outlook.com#EXT##johndoeoutlook.onmicrosoft.com as the username I get these messages:
user_realm_discovery_failed: User realm discovery failed (Microsoft.IdentityModel.Clients.ActiveDirectory)
The remote server returned an error: (400) Bad Request. (System)
and if I enter john.doe#outlook.com as the username I get these messages:
Sequence contains no elements (Microsoft.IdentityModel.Clients.ActiveDirectory)
I solved this by creating a new a app registration and selected
'Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)'
instead of
'Accounts in this organizational directory only (Default Directory)'.
When I connect to the server in SSMS, I select Active Directory with MFA support instead of Active Directory-Password, and I enter john.doe#outlook.com. And it connects.
I thought UserPrincipalName (UPN) are single valued per user in the Directory, but when I run an LDAP query for a specific user, I get the UPN: AO0S0020#mydomain.local,
And when running an OAuth (OpenId Connect) authorization against Azure AD (which is synced using AD Connect), I see that the claims UPN for the same user: nati#mydomain.com
What am I missing here?
You are missing the concept of Alternate login id.
It seems your Azure AD connect is configured with alternate login id. Thus the difference.