I am trying to get Azure AD Authentication working against my Azure SQL Database.
I created a PaaS database and it's associated PaaS Sql Server.
I assigned MY Azure AD account as "Active Directory admin" of the "PaaS Sql Server".
Next, I logged in to SSMS using MY domain account to create the user:
CREATE USER [xxx#yyy.com] FROM EXTERNAL PROVIDER;
GO
sp_addrolemember db_datareader, [xxx#yyy.com];
GO
sp_addrolemember
db_datawriter, [xxx#yyy.com];
GO
When I attempt to login with the xxxxx#yyy.com account , I get back:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (.Net SqlClient Data Provider)
Server Name: zzzzz.database.windows.net
Error Number: 18456
Severity: 14
State: 1
Line Number: 65536
What am I missing ?
Weird observation, if I intentionally use the wrong password I get back this error:
AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password, that tells the AD is somehow working, but something is broken in the overall process.
Another weird observation:
If I add a valid AD account, it succeeds
CREATE USER [xxx#yyy.com] FROM EXTERNAL PROVIDER;
If I generate a bad AD account
CREATE USER [xxxABC#yyy.com] FROM EXTERNAL PROVIDER;
I get back:
Principal 'xxxABC#yyy.com' could not be found or this principal type is not supported.
From a "simialr post"
The Anonymous Logon error occurs when you haven't specified the database you want to connect to. Simply select "options" on the SSMS login screen and type in the database name you want to connect to. This is because your user is a contained user on the database it was created in. It does not exist on Master. – Greg Grater Mar 7 '17 at 1:23
This fixed my issue -- hours wasted!!!
Note: for ODBC conenctions the user must also be created in master
Related
I have a new Azure AD
I've switched my subscription over to it
I created a SQL Server managed instance
I went to the SQL Server MI, and to the active directory admin section of the MI.
I attempted to grant read permissions to the AD via the "click here to grand read permissions link"
I received the following error
Any clues?
While clicking on the Grant permissions it should automatically take the User objectId who has logged in to the portal and check the permissions for the user if the user has Global administrator / Directory Reader role(Preview) in the Tenant Or Subscription and finally will perform the operation.
But as you have created a new AD tenant and added it to the subscription it sometimes fails to sync (tenant and subscription) and as per the error Invalid object Identifier null it fails to get the user details .
So, the Issue can be fixed by logging in to the portal from a private window of the browser or signing out of the portal,then clearing the cache of the browser and relogging.
This server '/' error pops up in my application if the user is signed in to another AAD account with a different domain, is there a way to make the azure website redirect back to the log in page so he/she can sign in to the proper user account instead of showing this error?
"OpenIdConnectMessage.Error was not null, indicating an error. Error: >'access_denied'. Error_Description (may be empty): 'XXXYYY00000: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'XXXX' and cannot access the application '00X1XXX0-XXXX-XXXX-XXXX-XXXXXXXXXXXX'(00000_website.azurewebsites_XXXX) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
Trace ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Correlation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Timestamp: 2019-09-11 02:31:47Z'. Error_Uri (may be empty): 'https://login.microsoftonline.com/error?code=90072'."
So you are using single tenant to let only your tenant users to login, right? If you don't want to get this error message, you can detect the error in your code and redirect it to the login page directly.
However, I think this error page is needed, since we can know clearly why we can not login in. Then we can login with the correct account.
As part of an Azure SQL database automation solution, I'm trying to create Azure SQL database users mapped to Azure AD Identities, using a service principal.
The result is an error message saying: Principal 'AAD_User_UPN_or_Group_Name' could not be found at this time. Please try again later.
The database users can be created using my own user account, following exactly the same procedure.
Please find more details below:
The service principal is a member of an Azure AD security group
The group is set as the Active Directory Admin of an Azure SQL server
My own user account is also a member of this group
The service principal has Directory Reader and Directory Writer role in the Azure Active Directory
My own user account is a regular member without any admin role in the Azure Active Directory
The service principal executes following T-SQL statement inside the Azure SQL database:
CREATE USER [AAD_User_UPN_or_Group_Name] FROM EXTERNAL PROVIDER;
The returned error message is:
Principal 'AAD_User_UPN_or_Group_Name' could not be found at this time. Please try again later.
When the same T-SQL statement is triggered by my own user account, it runs successfully and the user is created.
Your help or suggestions are highly appreciated.
I opened a ticket with Azure support and they gave me this solution.
The sql statement needs to be:
-- type X for AAD Group
create user [myAADGroupName] with sid = <sid>, type = X;
-- type E for AAD User or Service Principal/MSI
create user [myAADUserName] with sid = <sid>, type = E;
The sid needs to be generated from the AAD Principal ObjectID in most cases. However, for Service Principals/MSIs, it needs to come from the AppId. Here's a powershell script to generate the sid value:
param (
[string]$objectIdOrAppId
)
[guid]$guid = [System.Guid]::Parse($objectIdOrAppId)
foreach ($byte in $guid.ToByteArray())
{
$byteGuid += [System.String]::Format("{0:X2}", $byte)
}
return "0x" + $byteGuid
I have Azure Subscription with Default Directory with my company's account (myname#mycompany.com) as a guest.
I login to azure portal with this my company's account.
In the SQL Server, I have set Active Directory admin to an AAD group and I'm member of the group.
When I click Export (database) in Azure Portal, I select Active Directory authentication and type my username/password:
However I'm getting:
Failed to export the database: MyDatabase. ErrorCode: 400
ErrorMessage: There was an error that occurred during this operation :
'Error
encountered during the service operation. ; Exception
Microsoft.SqlServer.Management.Dac.Services.ServiceException:Unable to
authenticate request; Inner exception
System.Data.SqlClient.SqlException:Failed to authenticate the user
username#mycompany.com in Active Directory
(Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003;
state 10; MSIS7068: Access denied.; '
Failed to authenticate the user username#mycompany.com in Active Directory (Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003; state 10; MSIS7068: Access denied
According to the error information that it indicates that the user password is not correct.
Based on my test, it works correctly if you set the Active Directory admin to an AAD group and if you are a member of the group.
I need to be able to get the signed in user's group membership so that I can verify whether he is part of a specific group. However I am getting "Insufficient privileges to complete the operation." exception using the Azure AD graph API client library.
I am a co-admin of a subscription and I have created a new Azure AD application to authenticate against the default directory and configured the "Permission to Other application" section as in the below screenshot.
Azure AD Application Configuration
I am able to fetch the signed in user details, but when I try to call MemberOf function, then I get the above exception. Please let me know what I am missing here. Thanks in advance!
string objectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value; // object id of the signed in user
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IUser user = await client.Users.GetByObjectId(objectId).ExecuteAsync();
var userFetcher = (IUserFetcher)user; // able to fetch the signed in user
IPagedCollection<IDirectoryObject> pagedCollection = await userFetcher.MemberOf.ExecuteAsync(); // getting error here - "Insufficient privileges to complete the operation."
The problem here was that I had selected the permissions outside the 'personal scope' (Access the directory as the signed in user, Read directory data).
Hence, it needed consent from the service administrator of the subscription associated to the directory. Once the admin logs into the app and approves the consent screen, the code should stop giving insufficient privileges exception.