I have created an Access 2013 web app which creates an Azure SQL database behind the scenes on our O365 SharePoint web site. I can access this database using SSMS studio (I have the professional version not the express version).
I would like to link to the Azure database tables or be able to copy the database. The reason for this is that I cannot create views in the Azure database and the Access web app is too limited for our external reporting needs. We don't need to create views or tables in the Azure database we only need to access the information stored in its tables.
Whenever I try to right click on the Azure database to perform a task I receive the following error.
Cannot open server 'xxxxxxx' requested by the login. Client with IP address 'xxx.xxx.xxx.xxx' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range.
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=40615&LinkId=20476
The provided link is useless, it contains no information (There is no additional information about this issue in the Error and Event Log Messages or Knowledge Base databases at this time).
How do I take care of this error or how can I link to the Azure SQL database.
When viewing your database in the Azure management portal, there is an option on the right hand side that says Manage allowed IP addresses. That link will take you to a page where you can enter IP addresses that will be allowed through the firewall.
Here's a link to the MSDN article: How to: Configure Firewall Settings (Azure SQL Database)
Manage Server-Level Firewall Rules through Transact-SQL
Launch a query window through the Management Portal or through SQL
Server Management Studio.
Verify you are connected to the master database
Server-level firewall rules can be created, updated, or deleted from within the query window
To create or update server-level firewall rules, execute the sp_set_firewall rule stored procedure. The following example enables a range of IP addresses on the server Contoso.
EXEC sp_set_firewall_rule #name = N'ContosoFirewallRule', #start_ip_address = '192.168.1.1', #end_ip_address = '192.168.1.10'
Related
I'm using the Telegraf input plugin for SQL Server (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/sqlserver) to gather metrics and report to InfluxDB. It works well for SQL Server, but though it supports Azure SQL Database the documentation is a bit sparse.
The database user should be created like this:
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
GRANT VIEW SERVER STATE TO [telegraf];
GRANT VIEW ANY DEFINITION TO [telegraf];
That works on SQL Server, but in Azure it fails:
Securable class 'server' not supported in this version of SQL Server.
I wonder what I need to grant instead in order to solve this in the best possible way. We have a large number of databases running on the same server in an elastic pool, so if it is possible I would like to use a single user that logs in to the master and collects metrics for all the databases at once (the way it works with SQL Server). If that is impossible I can configure multiple logins and process one database at a time.
Perhaps I can grant VIEW DEFINITION at the database level, but VIEW SERVER STATE does not seem to be supported at all.
So, how should I configure the SQL Database login(s) for Telegraf with the SQL Server plugin to make it work?
EDIT:
Running as the super user for the server works without errors, but only produces metrics for master and tempdb. I need metrics for the many application databases and they are missing. Plus running as the super user is less than ideal.
Running as the super user for the server but connecting to a specific application database (add database in connection string) crashes with a nil pointer dereference and the log complains about VIEW DATABASE STATE permission denied in database master (the super user has access, but apparently not when connecting to a spefic database).
Granting VIEW DATABASE and VIEW DEFINITION to telegraf in an application database and connecting directly to that database as telegraf crashes with a nil pointer dereference and the log says the connection was closed.
EDIT 2:
Created bug report https://github.com/influxdata/telegraf/issues/4222.
EDIT 3:
As of the latest release the plugin works if the server admin account is used, so the issue has been solved. There is still no way to run with a less privileged account in Azure DB.
The answer:
GRANT VIEW SERVER STATE is not supported in Azure SQL Database.
On SQL Database Premium Tiers requires the VIEW DATABASE STATE
permission in the database. Permissions can not be granted in Master,
but the views can be queried in user databases. On SQL Database
Standard and Basic Tiers requires the SQL Database server admin
account due to security requirements following from multi tenancy of
those tiers.
Reason:
SQL Azure SQL is PaaS solution, therefore the most "server" specific features, DMVs, settings are blocked by purpose
References:
Grant View Server State - is it possible for a none SA user to have in Azure SQL?
SQL Azure VIEW DATABASE STATE permission denied in database 'master'
Possible workaround: (which is, anyway does not work in ewramner case)
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
USE [yourDB]
GRANT VIEW DEFINITION TO [telegraf];
GRANT VIEW DATABASE STATE TO [telegraf];
Therefore, (IMHO), there is no way to make such application working in SQL Azure without changing application code
A user is trying to connect to an Azure SQL Database via SQL Server Management Studio (SSMS v16.5.1).
The user's current IP address is not listed in the Azure SQL Server's firewall rules.
Because of this the user is shown the New Firewall Rule dialog.
When the user signs in using their Azure Active Directory (Azure AD) credentials they get an error message saying:
Account has no subscriptions
Clicking "Details" shows:
We experienced issues in connecting to Azure
Additional information:
login account does not have Azure subscriptions.
(Microsoft.SqlServer.Management.ApplicationAuthenticationManagement)
Why is the user getting this error message and how can they add a new firewall rule for their IP address?
Azure support have shared the below with me, based on an Azure documentation article.
Given an Azure SQL Server, only the Active Directory admin or SQL Server admin have permissions to add firewall rules at the server level.
The above error message (somewhat obscurely) indicates that the user is neither.
My personal experience also suggests that Azure AD accounts that are assigned as Subscription Co-administrators can also set firewall rules.
If, and only if, giving the user permissions is appropriate, this can be done by one of three ways:
Specifying the user as the SQL Server admin.
Setting the server's Active Directory admin to be an Azure Active Directory Group and making the user's AD account a member of this group.
Making the user a Co-administrator for the Subscription via https://manage.windowsazure.com/
Be sure to understand the security implications of each option before taking action.
Look at these two tutorials that will be live shortly (later on 1/13/2017):
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-sql-authentication-get-started
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-aad-authentication-get-started
These tutorials discuss using server and database level firewall rules with SQL Server authentication and Azure Active Directory authentication.
I hope these help,
Carl
In Azure Portal (https://portal.azure.com/#resource/subscriptions/{Your-GUID}/resourceGroups/AdminPortalDev/providers/Microsoft.Sql/servers/wjidentityserver/databases/{Your-DATABASE_SERVER}/overview )
Select your database
Select "Overview"
"Set server firewall" on the toolbar
Add client IP on the toolbar
Then you will be able to connect from the new IP address.
I was able to add the IP address without being administrator.
The steps in more details are described in https://learn.microsoft.com/en-us/azure/sql-database/sql-database-security-tutorial#create-a-server-level-firewall-rule-in-the-azure-portal.
Other question Client with IP addres is not allowed to access the server Azuredb describes more meaningful message and the same resolution.
I am facing problem regarding database permissions. I have created my database named FCProject. I created a login for that database in SQL Server Management Studio. My login is working fine but all I want to restrict access to FCProject database through users who can log in to SQL Server through Windows authentication mode.
Because I want only FC login to be able to view or modify data of FC database in SQL Server Management Studio.
I have tried creating a login through Management Studio. Is there any problem in creating login? Or something else? Please help
You are mixing up two things that should be kept separate here:
A login is on the server level - it gives an account (a Windows account, or a SQL Server specific account) the permission to connect to this server
Each database can then define user for its own use - based on those logins.
So in your case, what you need to do is to:
create a number of logins on the server-level
create users in your FCLogin database for just those logins
and then you're fine - only those accounts that you've defined explicitly can access your FCLogin database and use it.
See the Stairway to SQL Server security series of articles on SQL Server Central (very well worth registering for their contents!) which explains all the ins and outs in great detail
I am trying to create a login system on an asp.net website which allows a user to register and log in the website. I require the registered user details to be stored on a database which I already have on Azure.
I have so far created the login system as shown here: http://msdn.microsoft.com/en-us/library/windowsazure/hh508981.aspx and the form works. However, when I log in to the azure management portal I cannot find the user's registered details. I also need to add more fields to the registration form in the database.
Does anyone know where I can view the registered users and how I can add more fields?
If you follow the same link you used to create your application you will see the schema that is used by SQL Azure to store this information as below:
Now if you want to access this database directly, what you really need is SQL Server Management Studio (SSMS) to connect with this Database and access it from your local machine. Follow this link below to download and configure SQL Azure studio locally so you can connect to SQL database and the modify the schema or look the records etc. Once you have SSMS connected with SQL Database, you can manage it like any other on-premise database.
Managing Windows Azure SQL Database using SQL Server Management Studio
Our custom SharePoint site uses a standard connection string (in web.config) to a remote sql server using a sql server authentication. I need to know if it is possible to change this connection to use a SharePoint service account instead of a sql server account. If so, how do specify the service account in the connection string and how do you create a login and user for an sp service account when that user does not exist on the sql server machine and nor is it available on Active Directory.
Update:
I think I need to use integrated security in the connection string and run db calls within SPSecurity.RunWithElevatedPrivileges block. If i use this as a delegate, what sp account will the code be executed under and how do i assign a sql server login to a sharepoint account on a remote machine. Any links to sample code or articles explaining this process would be helpful.
Thanks.
From the SQL Server side, you should create a domain account for Sharepoint in AD. Then you log in to SQL Server via Management Studio (SQL2005 or later), on the left hand side click on security tab, and add a new login - you'll enter the domain Sharepoint service account, and give it the relevant permissions to the databases it needs to access.
For the Sharepoint side, you probably can edit web.config but there must be a Sharepoint admin tool to take care of this properly.