I am attempting to log into an Azure SQL Database using SSMS. I need to be able to log into the database with Active Directory Integrated Authentication. When attempting to login:
I receive this error:
Failed to authenticate the user NT Authority\Anonymous Logon in Active Directory (Authentication=ActiveDirectoryIntegrated).
Error code 0xCAA90002; state 10
WSTrust response does not have recognized SAML assertion. (.Net SqlClient Data Provider)
The following are true:
I am the Active Directory admin in the Azure SQL Server.
The Azure SQL Server Firewall accepts all IP addresses
I am specifying a database under the connection properties tab
I have .NET 4.6 and I'm using SSMS v17.1
Authentication works if I use "Active Directory Universal Authentication".
Any ideas?
Thanks.
This issue is with the AD Syncing options. In my environment, AD is not syncing passwords into the tenant. This prevents AD Integration Authentication and AD Password Authentication. The only authentication that works in this instance is AD Universal Authentication.
This may be due to the old API of ADALSQL.dll that is used by SSMS for Active Directory password. The fact that Active Directory Universal (which uses newer API from ADAL.net) works indicates the issue is in the AD library, not SQL.
I had the same error message, and it turned out to be caused by a password expiry.
As soon as I renewed the password, the error message disappeared.
Related
enter image description here
I get the error
Cannot open database "" requested by the login. The login failed. Login failed for user ''.
Please make sure you set "Allow access to Azure services" to ON on the firewall configuration of your Azure SQL Database.
Please take in consideration, that Azure AD admin sign in doesn't work with accounts that have 2-factor authentication enabled. In addition, Query editor doesn't support connecting to the master database.
WebLogic and LDAP are integrated, I can see users and groups in the Console security realm. Setup was minimal - simply added and set specs for an AD provider, nothing else.
However, all username combinations I've tried end up in wrong user/password in the analytics login screen, and "access denied" in the BI cluster log.
So what should be the username syntax that AD accounts are to enter? I am trying to allow any AD account to be able to login at this point.
UPDATED per #Chris request:
WL version 12.2.1
Documentation: very vague help screens from the WL console, missing the part I'm trying to figure out specifically
Error from the managed server log/obis1: BI security access is denied - web service credentials are invalid
The account works, however, in Windows Network, AD Server, and is visible inside WL with its specific AD group.
The correct answer to this: you can use the same exact credentials you would while logging to the AD server directly. Getting "invalid user/password" error can be indicative of a lot of other problems stemming from the LDAP Authenticator configuration.
I have my sql server 2008 setup with mixed mode authentication. I went into sql server and added a new login and referenced an active directory user.
But it seems like all the windows authentication based stuff only ever works with whatever was used to login to the operating system. So I'm outside their domain on my machine and I can't connect. But even if I remote desktop into the server itself, using a seperate remote desktop login, even on that machine, I can't login using the active directory user since in the login box, if I choose window auth, I can't specifiy a different name, and sql server auth says invalid login. I don't see how to supply a windows username and password JUST when logging into sql server.
And also, what about my .net apps? I don't want to hardcode a sql server auth username/password into my encrypted connection string, i want to hard code a windows active directory username/password into the connection string.
And then reporting services, aarrghhh.. Does reporting servies ONLY work with windows logins? If so, then I'm stuck with getting the above working. If not, how do I configure a sql server login to also let me access all our reports?
This is a really broad question; I'll give a survey of some of the different topics you address. I work in a hosting provider and we have many domains with no trusts between them, so I deal with this on a daily basis.
Yes, SQL Server Windows authentication really wants to use the credentials running the client application. You can work around this with the RunAs /netonly switch:
runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft
SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”
Authentication for .NET apps is a big topic. Lots of options and chapters, if not books have been written on this.
Regarding Reporting Services: most of this access is through a browser. So this will use whatever credentials you supply to your browser. In IE this is controlled through the security zones and settings of whether your current credentials should be used or if you should be prompted.
Some clues:
If you're external user and SQL Server is in mixed mode it will be easier for you to have SQL login not mapped to AD user (so you use SQL auth and not Windows auth). You may have two SQL Logins - one for Windows auth, second for SQL auth.
If you don't your .NET apps have hard coded passwords use Windows auth and Trusted Connection mode in your ConnectionString. If your .NET app is a service create dedicated AD user then create SQL Login mapped to this AD user. Give your SQL User mapped to SQL Login permissions whatever it needs. Run service in context of dedicated AD user. If app is directly executed by users (.EXE file) also use Trusted Connection. Create AD security group for your app users. Create SQL "group" Login mapped to this AD group. Give your SQL "group" User mapped to SQL Login permissions whatever it needs.
It's not possible to provide login and password for SQL Login with Windows auth in ConnectionString. You use TrustedConnection for Windows auth and login/password for SQL auth.
You may play with switching context inside SQL session - EXECUTE AS, see: http://msdn.microsoft.com/en-us/library/ms181362.aspx
We are rolling out our first .net 4.0 entity framework application and are having an issue with security.
We have it working on our alpha site inside our development environment with the following setup:
SQL2005
IIS6
.NET 4.0
asp.net mvc 2
Entity Framework
NTLM
But when we moved it to our production environment for beta testing we are getting the following error via asp.net
SqlException (0x80131904): Cannot open
database "our database name"
requested by the login. The login
failed. Login failed for user
'Domain\User'.
The only difference between the between the 2 environments is we are using Kerberos instead of NTLM in our production environment. We have several other .net 3.5 sites using LinqToSql that run on both environments.
We have already done the following:
Replaced an active user on another test site with the user that is failing to make sure it isn't an issue with the way the user is set up. - worked
Dropped and re-added the user from sql2005 - did nothing
The issue appears to be related to .net 4.0 as this is our first...
The difference between NTLM and Kerberos is huge. With NTLM, you can use pass-through authentication with Kerberos you cannot. With Kerberos and Windows Authentication, you need to setup a Service Principal Name (SPN for short) that tells SQL Server that it can be accessed by whatever IIS account you use.
Understanding Kerberos and NTLM authentication in SQL Server Connections
Here's another article on setting up Kerberos. Jump down to the section titled "Configure a service principal name for the domain user account"
Based on the error message, 2 questions:
Does the login have access to the database in your production site?
Does the database that you specified in the connection string on the SQL server that is specified in the connection string?
These are the 2 most common causes of that issue. A Kerberos issue usually manifests itself in SQL Server a little differently.
Thanks,
Eric
I have a database with LDAP login enabled. It works fine when logging in through the PIA or when logging into app-designer through the application server.
I need to make app-designer allow me to login with 2-tier mode using LDAP authentication. Is this possible without customization?
I do not think this is possible. 2-tier logs directly into the database and more importantly, does not run the signon peoplecode that does call-outs for LDAP authentication. In fact, 2-tier is really just a Win32 app that runs no peoplecode - it isn't a peoplesoft "application." There is a user callout dll delivered with peoplesoft, and some scant documents on what you have to do to use it - but again, likely not going to meet your need. You may need to use the ldap synch online app engine job to pull in your ldap users to security tables if you want to use those login identities for 2-tier access.
The only delivered way to use LDAP Authentication for App Designer is to use connection 3-Tier through the app server. Only with the 3-Tier connection will the Signon PeopleCode be executed. With 2-Tier, there is no hook to the LDAP Server.
You could look at using the Grey Sparling Desktop Single Signon, which does integrate with App Designer and uses Windows and NTLM to grab Active Directory authentication. This would give you some degree of LDAP Authentication if you Windows machine authenticates with a domain. But it is an add-on product you would need to purchase.
Otherwise, as Epictetus mentioned, you can use the LDAP Username if you have it synced with your PeopleSoft database and use the local password stored in PSOPRDEFN.
One problem I have seen is that when using LDAP and 2 tier when you login with LDAP it somehow decrypts the password in PSOPRDEFN. The next login 2 tier by that same account throws the error cannot login please encrypt password using data movoer encrypt password *. If you encrypt that users password the same results happen following that users next LDAP login.