Customer has just implemented a new Azure SQL Database instance. They are using the 'Azure Active Directory Universal with MFA' (multi-factor authentication) security option. I am trying to connect to this database through Azure Data Factory, and nothing works. I've tried all 3 connection string variations, and I'm beginning to think programmatic access is not possible.
Has anyone run into this, and were you successful in connecting? If so, please elaborate -- I expect a lot more of us are going to start seeing this in our work.
Please follow below steps to configure Azure SQL Database Linked Service in ADF using service principal.
Go to Azure Active Directory in Azure Portal and click on App registration under Manage on left side options. Click on + New registration.
In new app registration page, just give Name to your app and click on register.
Once the app created, copy the, Application ID and paste it under Service principal ID in Linked Service. The tenant ID must be already there in Linked service. If not, you can copy that also and paste under Tenant in Linked Service.
For service principal key, you need to create the Secret for newly registered app. Go to Certificates and secret in new app, and click on + New client secret. Once created, copy the Value of the secret as shown below. Copy this Value under service principal key in Linked Service.
Now, before checking test connection, you need to set the registered app as server admin in SQL Server. Go to SQL Server, click on Azure Active Directory on left side. Click on Set admin option, search for the name of the app you have created above. Select the app. Click on Save option.
At last, just check your connection in Linked Service. It should work fine now. Refer below image.
Related
I'm designing a Single Page Application in React + .NET Core and now I'm facing with the concept of visibility related to the application profiles (for example Admin will see all data, Team Leader will see all the data related to his team and so on...).
My solution involves Row Level Security in Azure SQL Server using Azure Active Directory authentication (a AD group containing all the application users), however in this way a smart user can directly connect to the database doing what he prefers (because using this type of connection I must provide Read/Write permissions to the group). I want to avoid this!
So, there is a way to avoid direct connection to the database and limit AAD authentication only through web app? Or I must choose a different approach (using SESSION_CONTEXT for example)?
You can configure firewall rules of the Azure SQL to allow only the single page application (web app) to connect.
The steps are mentioned in the below stack overflow post:
Configure Azure SQL Database Firewall for just my Web App
I have an API that is hosting on IIS 7.5. The application pool is configured use a domain service account. Then, I grant the account full permission on the default site.
The API and the database are on different server.
I create a SQL Server login for the account and associate it with a user. The user is granted db_onwer to the database. SQL Server service is configured to run using that service account as well. However, The API can't connect to the database. The database log shows this error message "Login failed for user host\servername$. If host\servername$ is given access to the server, it would work fine. However, IT said no way.
Majority of the solutions that I have found online so far either gave permission to host\servername$ to the database or change the apppool to use network or local service, or use a username and password where the username is not a domain account user.
I have to use a domain name account, so I am struggling to find a solution.
There was an issue with the way the domain account was created. IT had to create another service account. Once I set up the app pool with the new server account, I had no issue.
Our SharePoint environment uses Claims Based Authentication - using
FBA for external users and AD for internal users.
I have not been able to connect using default credentials or Windows
authentication to a test SharePoint site using the SharePoint Client
Side Object Model (CSOM). I am able to connect using an FBA user but
require connecting using default credentials (assuming this is the
app pool id tied to the SharePoint application) or at least an AD
account.
The message I get when executing ClientContext.ExecuteQuery is - Cannot Contact Site at the Specified URL. I
have researched this extensively and have tried numerous suggestions including the following:
Using an event handler tied to the clientContext.ExecutingWebRequest
which adds to the WebRequest headers. Solution found here
https://social.technet.microsoft.com/Forums/office/en-US/16cd0e26-8f3b-4ef2-bac4-c2c59849ab96/authentication-in-clientcontext-in-sharepoint-2010?forum=sharepointdevelopmentprevious.
Using System.Net.CredentialCache.DefaultCredentials
Using System.Net.NetworkCredential passing in AD account
Thanks for any ideas or suggestions.
Tom
I should have mentioned that we are using SharePoint 2010 and that I'm trying to retrieve and update user profile properties. As I was beginning to code a solution to do this (using my FBA connected ClientContext), I read that in SharePoint 2010, you can only update user properties using the UserGroup web service. I get an Access Denied when trying to connect via the web service. I believe the ClientContext sits on top of the web services so the scenario/issue is the same. Again, any thoughts or suggestions are greatly appreciated.
Well, after much research, it seems that there is a solution. Adding a header to the request programmatically is the first step. The only issue is that in addition to adding the header, you must add an additional Windows authentication zone to SharePoint. I do not want to add another zone to our production environment.
Since the program I'm putting together accesses SharePoint and non-SharePoint databases, I would like to run it on a non-SharePoint server so I will most likely use an FBA account that is specifically created for this purpose.
In case anyone is interested, here is another link explaining how to add the header to the web request. You will receive an error - Object Moved without adding an additional zone. Here is a link which describes adding a zone.
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
I have a Sharepoint 2010 application with mysites, therefore I use User profile sync service.
I changed the authentication method from windows to claims based ( choosing forms), and made necessary updates on web.config and run the commands on powershall, so I am using LDAP.
My application works with forms based authentication now, no issues, but I can not authanticate to mysites as my user name format has changed from domain/username to
One option is to somehow map new ldap formatted user and windows ad users (do not know how??), or I need to create a new connection on the user profile sync service to connect to ad with forms authantication and import users with new format too (failed to do so, any idea what needs to be configured on domain controllers to do that? ). Although, this will cause that users would get 2 different mysites if they login with windows or forms based auth.
Any idea is appreciated.
Thanks.
You need to use Move-SPUser command to make that work. For more info check the MSDN Documentation.