I am simply trying to follow the steps here so that I can query an Azure Analysis Services model from C#. But in SQL Server Management Studio I fail to connect to the server when using "Active Directory - Password" authentication, getting error message "Unable to obtain authentication token using the credentials provided..."
I tried using the username displayed in Analysis Services Admins that looks like this: john.doe_outlook.com#EXT##johndoeoutlook.onmicrosoft.com
and the outlook e-mail address associated with the Azure account which is of this form john.doe#outlook.com.
The password I used is also my Microsoft account password. From researching, it is never made clear to me at all what password I should be typing in, where do I get it from? Or what exactly do I need to do here so that I can successfully connect?
Both usernames I tried result in this message:
Unable to obtain authentication token using the credentials provided. If your Active Directory tenant administrator has configured Multi-Factor Authentication or if your account is a Microsoft Account, please remove the user name and password from the connection string, and then retry. You should then be prompted to enter your credentials. (Microsoft.AnalysisServices.AdomdClient)
If I enter john.doe_outlook.com#EXT##johndoeoutlook.onmicrosoft.com as the username I get these messages:
user_realm_discovery_failed: User realm discovery failed (Microsoft.IdentityModel.Clients.ActiveDirectory)
The remote server returned an error: (400) Bad Request. (System)
and if I enter john.doe#outlook.com as the username I get these messages:
Sequence contains no elements (Microsoft.IdentityModel.Clients.ActiveDirectory)
I solved this by creating a new a app registration and selected
'Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)'
instead of
'Accounts in this organizational directory only (Default Directory)'.
When I connect to the server in SSMS, I select Active Directory with MFA support instead of Active Directory-Password, and I enter john.doe#outlook.com. And it connects.
Related
We are developing a ReactJs and NodeJs application where node has to authenticate AD users using LDAP.
We are able to complete the authentication successfully using LDAP,
But the requirement is, in On-prem users are already logged in to the AD and if they open our web it should login without asking credentials again, it it is not happening with LDAP integration.
Can some one please help me.
Thanks in advance.
To add SSO in on-prem Active directory login using LDAP, please follow below steps:
Go to Administration -> Applications and enable Single Sign-On -> click setting -> select LDAP method.
If you want your users to login without using credentials again, set the option to use only SSO authentication only.
UseResponse internal account is created, when a new user logs in against the LDAP server. If you don't want to send internal registration credentials, Disable Registration Email.
In addition to these, include basic settings of your connection:
Give hostname or IP of your LDAP server
Add ldaps:// to hostname when the server has secure connection
Give Base Distinguished Name for your AD with default value dc=localhost.
Enter administration credentials for the connection, if your LDAP server requires authentication.
For more in detail, please refer below link:
Using LDAP as a Single Sign-On (Active Directory) | Integrations | Help Center - UseResponse.
I am unable to do secure ldap search, to an azure ad instance
requirement: do ldapsearch over internet using ldaps protocol, and get info from Azure ad
my setup
azure in eval mode - domain name is the default option presented during creation, eg devopoutlook.onmicrosoft.com
created azure ad domain service - domain here is of the format xyz.abc.com (not a routable DNS)
Secure LDAP enabled with self signed certificate
added rules for incoming ldaps requests, noted down the public ip
created a user account, added to global administrator / AAD DC Administrators
reset the user's password - verified login works through portal.azure.com
when i attempt a ldapsearch to the public ip from my computer i see the below error
LDAPTLS_REQCERT=never ldapsearch -x -D "userx#devopoutlook.onmicrosoft.com" -W -H ldaps://x.x.x.x:636 -b "dc=devopoutlook,dc=onmicrosoft,dc=com"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
packet capture shows an encrypted alert from client to server, after client handshake is done, hence i dont think its a cert related issue, i am unable to figure out if its a password issue, i am sure the password is correct
the user account is a cloud only account, so password hash sync should have happened after password reset (i have reset multiple times)
I have also done the same experiment with a onprem ad user, synced via AD connect. that gives the same error
Are there any steps i am missing, or am i expecting something that wouldn't work, please help
LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
On Workaround try with these
1) As you mentioned you using the Cloud only account
Cloud only account on an AAD tenant, you need to change the password on the account on the cloud account and wait ~30 minutes or so for the password to replicate before you can bind on AAD DS. change the password for that user before you can authenticate with LDAP. That is because AAD will not create the password hashes (it needs for NTLM and Kerberos authentication for LDAP) automatically for cloud-only users - but it creates them the next time the password is changed.
This topic is covered in the following article: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
2) The DN name for the user should be similar to how they are named in local Active directory
For example if I have named my AAD domain services instance domain as contoso.com , then the Domain container values for DN attribute would correspond to that just as in Local AD . Generally all the synced users to AAD domain services go to the container "AADDC Users" within Domain services instance so for a user in domain services it will be
CN=<firstName lastName>,OU=AADDC Users,DC=Contoso,DC=com
For more details refer this document:
3) Above error Returns when username is valid but password/credential is invalid.
Please verify that your given password is correct or not.
Reference:
For more details refer this document: Tutorial - Configure LDAPS for Azure Active Directory Domain Services | Microsoft Docs
deleting the AADDS and redeploying as user forest did the trick from what i understand, resource forest => there is no sync of user id between AAD and AADDS
after reviewing a lot on the internet, I can not find a solution.
I hope you understand me, my English is not the best ...
Issue:
I want to authenticate against SQL Server with a valid user for the domain (active directory) which I get it from the login (username and password) of my application (old application).
This user, which is logged into my application, is a user validated by Active Directory (LDAP) and is a member of a Group that has logging permissions on the SQL Server ("Domain \ Group_name").
Attempts:
So the problem is that if I use windows authentication (it works fine) I would be using the windows user and not the application user (it is not always the same user). On the other hand, if I use SQL Server authentication I have to create and maintain the passwords of these users separately from the domain ...
Question:
How do I authenticate to SQL Server with a user logged in to my application. User who is a member of a Domain Group, which has logging permission in SQL Server but is not always the user windows logued on?
EXAMPLE:
Users: usr1 and usr2 both valid domain users
Usr1 is a member of the group that has access to SQL Server.
Usr2 is NOT a member of the SQL Server access group (can not log in).
I want to log in Windows with usr2 and in the application with usr1. Both with domain credentials.
Thanks in advance.
The only solution than i can find was the "runas", like SqlZim saw.
Thanks.
I'm trying to connect to a local SQL Server database but it gives me this error:
Login failed for user 'DOMAIN\Username'.
When I open SQL server and look in the Security\Logins folder then I do see the user DOMAIN\Username. This is also the user that I use to login into Windows with.
My connection string looks like this:
<add name="ServerConfiguration"
connectionString="server=localhost; database=BN_Configuration;
Integrated Security=false; User ID=DOMAIN\Username; Password=123456;"
providerName="System.Data.SqlClient" />
Anyone any idea why I can't login with these credentials?
--
Note I wish to authenticate with a user that exists in the SQL Server database. So I do NOT want to do Windows authentication with Integrated Security set to false.
It looks like you are using a Windows credential as SQL Server credential. Try integrated security = true, and not to specify user ID and password.
In your connection string Integrated Security=false is saying user ID and password are specified in the connection for an account that exists in SQL Server but is NOT a domain user. When Integrated Security=true, the current Windows account credentials are used for authentication. If it's an application it will use the user who is currently logged in, and for a web application it all depends on how your application pool is set up.
You are mixing up the definitions by saying ``Integrated Security=false` but passing domain credentials which is not possible.
Using a domain account
Set Integrated Security=true
Remove the user id and password sections.
Map the domain account in SQL Server making sure to set Windows authentication
If it's a web application, make sure your application pool is set to run under that domain account.
Using a SQL Server Account
Set Integrated Security=false
Create a SQL login, making sure it uses SQL Server authentication
Set the User ID and Password properties of your connection string to be the same details you created above.
Note: Final point, make sure the user also has access to the database you are connecting to (in your case BN_Configuration).
We have a 3rd party product that allows some of our users to manipulate data in a database (on what we'll call SvrSQL) via a website on a separate server (SvrWeb).
On SvrWeb, we have a specific, non-default website setup for this application so instead of going to http://SvrWeb.company.com to get to the website we use http://application.company.com which resolves to SvrWeb and the host headers resolve to the correct website.
There is also a specific application pool set up for this site which uses an Active Directory account identity we'll call "company\SrvWeb_iis". We're setup to allow delegation on this account and to allow it to impersonate another login which we want it to do. (we want this account to pass along the AD credentials of the person signed into the website to SQL Server instead of a service account.
We also set up the SPNs for the SrvWeb_iis account via the following command:
setspn -A HTTP/SrvWeb.company.com SrvWeb_iis
The website pulls up, but the section of the website that makes the call to the database returns the message:
Cannot execute database query.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I thought we had the SPN information set up correctly, but when I check the security event log on SrvWeb I see entries of my logging in, but it seems to be using NTLM and not kerberos:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Any ideas or articles that cover this setup in detail would be extremely appreciated!
If it helps, we are using SQL Server 2005, and both the web and SQL servers are Windows 2003.
There are several possible reasons for kerberos failures which includes lack of SPN and duplicate SPN as well.
If SQL is running under custom account you would need to add SPN for SQL as well.
Also keep in mind, you should be adding SPN for the FQDN which is the host (A) entry in DNS and not a CNAME.
Check the value of NTAuthenticationProviders
http://support.microsoft.com/kb/215383
Try DelegConfig which would show what is missing if its SPN or something else.
http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887