App Service dev, staging and prod deployment slots and SQL DB all have system assigned managed identities.
Contributor roles have been assigned to managed identities at the subscription level.
SQL Server Contained users have been created and roles assigned for the App Service dev, staging and production slots:
SQL Server Contained Users
appsettings.json connectionStrings:
connectionStrings
AD DB Admin User created and added to SQLServer as a contained user.
Permissions added to AppService managed identity for dB1 and dB2 to SQL Server AppService Managed Identity Permissions
msi-validator returns success for token based connection from the web app to two different databases on the same sql server instance.
msi-validator success
Local and Azure deployment slot both return: SQLException Login failed for token-identified principal
Walked through https://social.technet.microsoft.com/wiki/contents/articles/53928.azure-ad-managed-identity-connecting-azure-web-app-and-slots-with-azure-sql-db-without-credentials.aspx and many other tutorials.
Still missing something...
Attempts to run the application using the managed identity connection string is consistently failing with the token-provider principal login failure error.
Confirmation of settings:
Confirmation of Settings
Please make sure the Azure Active Directory user is created on the Azure SQL Database. Please make you create the user in the Azure SQL Database following the steps mentioned here.
To create an Azure AD-based contained database user, connect to the database with an Azure AD identity, as a user with at least the ALTER ANY USER permission. Then use the following Transact-SQL syntax:
CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
CREATE USER [bob#contoso.com] FROM EXTERNAL PROVIDER;
CREATE USER [alice#fabrikam.onmicrosoft.com] FROM EXTERNAL PROVIDER;
Make sure you are connect to the Azure SQL database and not to the master database on the Azure SQL logical server.
As per my understanding you are facing an error stating login fails for token-identified principal when trying to connect your Azure ap service managed identity with your Azure SQL Database.
Could you please try the below in order to mitigate the issue.
Make sure System managed Identity status is showing on your app.
on your app service Verify that your connection string under application settings is set to "Server=tcp:.database.windows.net,1433;Database=;"
Allow Azure services and resources to access this server” should be set as Yes in Firewalls and virtual networks settings in your Azure SQL DB, in case it was not set earlier during Azure SQL setup.
Please do let me know if that help mitigate the issue. If not, we will keep working on the same to get you unblock.
Related
I have a requirement where in I need to parameterize my Azure SQL/Azure Synapse linked service using 2 parameters 'DBServer' and 'DBName'. I configured my collaboration branch as below and everything works as expected in my Synapse workspace.
Even the linked service ARM template shows the connection string values as expected.
However when I publish the code (using the publish button in Synapse workspace), the code in the Synapse Live mode does not contain these parameters defined. Please see the snippet below.
Even the code in the TemplateParameter file of the publish branch is blank.
I tried removing the parameters and put in the actual values for Server and DBName, it still shows no values in the publish branch/Live mode. While I understand that the git mode does not store secrets, this case of mine does not have any secrets and I am authenticating via Managed Identity.
Is there a solution to deal with this scenario? I would not prefer to store the connection string in KeyVault and refer it back in the linked service as it does not make the solution completely dynamic.
I created Azure sql database and created synapse pool in Azure portal. I created SQL linked service in synapse pool with managed identity authentication.
to authenticate with managed identity, I created user in SQL database with synapse pool name using below query
create user [SynapsePoolName] from external provider;
ALTER ROLE db_owner ADD MEMBER [SynapsePoolName];
Image for reference:
Linked service:
I published the Linked Service with publish button.
Image for reference:
It published successfully.
When I open the linked service after publish, I am getting the parameters.
Image for reference:
I got the parameters in template also.
Image for reference:
It worked in my machine kindly check from your side.
i am replicating a database from one server to another, replication completed successfully but there is an application role on the source server which hasnt replication and now the application refuses to work without application role. I've tried creating new application role but it requires password which i dont have.
Is there a way to move the application role with the password and all securable to the new server?
I am trying to set the firewall rule for specific user account in my Azure SQL database. Currently I have two login accounts, “admin” and “user”. I want to open up the access to allow all “user” IP addresses to be able to access the database. Right now my firewall settings are blocking anyone trying to access the “user” account without having their IP address whitelisted. I’m unclear how to assign a firewall rule to a specific database login.
First make sure while creating the SQL Server in Azure, select Yes for Allow Azure services and resources to access this server in Networking settings.
Open the Azure SQL Server in SQL Server Management Studio.
Switch to the "master" database from the database selection box.
Create the Server Login by executing below statements.
CREATE LOGIN testLogin1
WITH PASSWORD = '<Strong_Password_Goes_Here>';
Now select the database for which you want to create the user. In another Query window, run the below statements to create the user.
CREATE USER [testLogin1]
FROM LOGIN [testLogin1]
WITH DEFAULT_SCHEMA=dbo;
At last give the db_owner permission to the new user.
ALTER ROLE db_owner ADD MEMBER [testLogin1];
Now just go to your Azure Database Query editor, and login with new user and password. It will login.
Case
I want to work with Azure SQL Server, as noted in the best practices how to secure Azure SQL Server it is good to use AAD account for accessing your server/database instead of SQL Accounts.
I read several posts on the documentation site of Microsoft and blogs, but I cannot find that it is possible to disable/remove the Server Admin account, after you have the Azure SQL Server and an created AAD SQL Administrator and attached it to Azure SQL Server.
I know Server Admin Login and Password is mandatory, when you create the Azure SQL, but I hoped it was possible to delete after creation of server and AAD SQL Admin.
Why do I want this?
There are enough companies who have to rule (inherited from the on-prem) that accounts must be controlled by a centralized Identity Store, such as AAD.
Password rotation must be done, it is a lot easier when you have a centralized identity Store instead that you have to do it for a lot of Azure SQL Servers.
Question
Is it possible to disable the SQL Server Admin (sql account)?
I don't believe it is (or can be) possible to disable the SQL Server Admin.
The Azure Subscription Owner and the AAD SQL Admin identity have joint ownership of the Azure SQL Server. Either one needs to be able to re-acquire administrative access to the server.
And the mechanism that the Azure Subscription Owner uses to force their way into their own database is to reset the SQL Server Admin password from the Azure Portal.
This is roughly analogous to how a Windows Administrator can force sysadmin access to a SQL Server by starting the service in single-user mode.
I think the best you can do is to throw away the SQL Server Admin's password, so no one could log in using that account without first resetting the password in the portal. EG run:
declare #sql nvarchar(max) = concat(N'alter LOGIN [youradmin] WITH PASSWORD=N''',newid(), N'''')
exec (#sql)
Update 06/21:
Microsoft released Azure Active Directory only authentication for Azure SQL which effectively disables the possibility to use any SQL user for authentication.
Note the caveats
Azure AD-only auth is supported at the Azure SQL server level
This means that when this mode is enabled, all databases that belong to this server can only be accessed using Azure AD
authentication
Enabling Azure AD-only auth does not remove existing SQL logins or SQL users based on these logins. They continue being stored in SQL
metadata, but cannot be used for SQL authentication
Even though the Azure AD-only auth is enabled, with proper SQL permissions for Azure AD users, SQL logins and SQL users can be
created. However, the authentication process to connect to Azure SQL
using SQL logins/users will fail
Azure AD users with proper permissions can impersonate existing SQL users
Impersonation continues working between SQL authentication users even though the Azure AD-only auth feature is enabled. This is
consistent to the way impersonation works today, where even disabled
users can be impersonated.
Microsoft is working on allowing so called "AAD-only authentication" which will effectively disable the server admin login, as the complete SQL authentiction is disabled.
Below is the steps i have took to publish my Website to Azure. I have two data connections the "defaultconnection" for users tables log in register etc. The other is a connection to an Azure Sql Database.
On Azure i created a new app service.
In Visual Studio i click on project and select publish.
In the publish Web window that pops up i select Microsoft Azure Web Apps.
In the following window i select the app service i created in Azure.
In the settings window it shows the two connection database connections.
They both have the same connection string which is the Azure hosted Database. I am not sure what to change the connection string to for the users table. I created a SQL database in azure and connected that to the app service then used that connection string for the "defaultconnection". The string is below
Server=tcp:userauthen.database.windows.net,1433;Data Source=userauthen.database.windows.net;Initial Catalog=USERAUTH;Persist Security Info=False;User ID={your_username};Password={your_password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
I published to azure and am able to go through the pages but as soon as i try to interact with the database i get an internal server error 500.
I tried publishing the website without userlogin so i could see if it connected to the Azure sql database but i still get the internal server error 500. I am really stuck at this point and any assistance would be helpful.
So i changed the firewall settings to allow certain IP address and it worked. I can access both my databases.