Azure SQL Server - Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' - azure

I am trying to log in to Query Editor in the Azure online portal. For some reason I have the below message under the Active Directory authentication area:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I can still log in using SQL server authentication and I can log in using SSMS from my local machine using Active Directory credentials.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Can someone surmise why I am getting this error?

If you have set the AD admin account like this tutorial Configuring an Active Directory (AD) administrator do:
When we using the Query Editor(preview), it will shows your AD authentication account:
Just click the 'continue as **#****.com', Query Editor will login your database with AAD authentication.
Hope this helps.

Related

Azure SSO login for external users

I'm developing system where any user can login through Microsoft Azure SSO.
I have done following
Create B2C tenant (Initially tried B2B)
Create enterprise application
Set "AzureADandPersonalMicrosoftAccount" for "signInAudience"
Setup SSO with SAML using "https://simplesamlphp.org/"
Now everything is working fine for my account. But if I trying with other personal user (which I haven't added as guest user in my tenant), then it returns error
User account 'user#domain.com' from identity provider 'live.com' does not exist in tenant 'xxxx'
and cannot access the application in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
I want any personal Microsoft user can login through SSO (without adding it as guest user in tenant).
Thanks in advance!
I tried to reproduce the same in my environment and got the below results:
Please note that, if you are creating Enterprise Application in Azure AD b2c Tenant it will be authenticated via Azure Active Directory only not Azure AD b2c.
When I tried to login through Personal Account, I got the same error as below:
As Enterprise Applications authenticate via Azure AD, it is not
possible to authenticate users with personal Microsoft accounts
without adding them as Guest Users.
The only approach is that you add them as Guest users and login to SAML SSO without invitation.
Go to Azure Portal -> External Identities -> External collaboration settings -> Enable guest self-service sign up via user flows
On the left blade, Click on User flows -> New User Flow,
Once the user flow gets created successfully, click on the user flow, select applications and add your application like below:
And try signing to your application with Microsoft Personal Account.

Azure Active Directory exception thrown while fetching access token

I am trying to get graph api access token in my c# application using GetAccessTokenForUserAsync().
It throws below error :
Error = invalid_grant
Error_description = "AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/--/'
does not exist in tenant 'ABC' and cannot access the application '--**-****'(xyz-app) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the user and Application exists in the different tenants. Make sure to check the user exists in the Azure AD Application tenant. Try to sign-in and sign-out.
Check whether the sign-in URL you are making use is valid:
Multitenant applications
https://login.microsoftonline.com/organizations
Multitenant and personal accounts
https://login.microsoftonline.com/common
Personal accounts only
https://login.microsoftonline.com/consumers
Please check whether the guest user has been invited to the tenant like below:
Try clearing the browser cookies/log-in via Incognito.
You can also make use of domain_hint parameter which specifies from which domain Azure AD User should be from. You can configure from both client and server side.
If the issue still persists, please refer the below MsDoc:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory

Login failed for user '<token-identified principal>'. (Microsoft SQL Server, Error: 18456)

I get the error Login failed for user ''. (Microsoft SQL Server, Error: 18456) from Azure SQL server when a user tries to login using Azure Active Directory - Universal with MFA.
My Azure AD login is within a group, other members of the group can login to the database, but I get the error '<token-identified principal>'. (Microsoft SQL Server, Error: 18456), however If the user is added to the database, then I can login and it works.
create user [myUserName#contoso.com] from external provider
GO
EXEC sp_addrolemember N'db_datareader', N'myUserName#contoso.com'
I was wondering if there is a reason for this.
The error you are getting is an identical issue its already been raised over Microsoft Q&A Plateform a year ago.
You need to add the users to your SQL DB as AAD Users first to accces the Specifiv SQLServer.
The error "Microsoft SQL Server, Error: 18456 <token-identified-principal>" means that the user used to login to
SQL Server Management Studio is invalid. It is usually related to an
AAD user which is not added on SQL DB that you are trying to connect
(User DB or Master DB) or that the AAD user is not the AAD Server
Admin.
You just need to add an AAD user in Azure SQL DB. You can follow the
steps mentioned here:
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#create-contained-database-users-in-your-database-mapped-to-azure-ad-identities
Note : Use User UPN(name#domain.com) to access the SQL DB not logged on as this user: "domain\name.surname" on my environment.

Facing Login Issue of Local Accounts user with OpenId Connect in Azure B2C

1. I am trying to implement SSO through OpenIdConnect with AzureB2C but was facing some problem during login of Local Account Users with OpenId Connect which was configured on Azure B2C.
2.When i run our user flow and try to login with local account user credentials then it says user does not exist although i am able to login email default provider.
3.Since I am new to Azure and OpenID Connect so can you please guys help me out so that i can login Local Account Users with Open Id Connect in Azure B2C and how can i proceed further so that i can implement SSO with OpenIdConnect and Azure B2C?
What i have tried till now?
Created OpenId Connect as a Identity Provider.
Create app in app registrations.
Created a User Flow and selected both Local Account as well
previously created openid connect identity provider.
Try to run configured user flow but failed to login.
Images with order are attached
Here is an Azure AD B2C custom policy sample that demonstrates how to link a social account with a local account.

Active Directory Password Authentication for Azure SQL not working

I followed all the mentioned steps but couldn't get it to work with "Active Directory Password Authentication" for AD principal which is a contained user in my SampleDB. I get this error:
Cannot connect to sql01.database.windows.net.
ADDITIONAL INFORMATION:
Failed to authenticate the user user#customDomain.com in Active
Directory (Authentication=ActiveDirectoryPassword).
Error code 0xCAA20003; state 10
ID3242: The security token could not be authenticated or authorized.
(Microsoft SQL Server, Error: 0)
We are using Ping Federate as our federation provider.
To my surprise, "Active Directory Integrated Authentication" works for the same user. Do we need to open some firewalls or ports at our on-prem environment to make it work?
Please create a support case. ADAL.DLL had issues in the past with Ping Federate so the support team would be the best to look into it

Resources