In our current on-prem world we rely on Windows authentication. Each IIS app pool runs under identity of a service account. And this service account has dbo permissions on sql database. How can I establish this similar (i know same is not possible) security model for Azure PaaS website?
I referred MSDN link which talks about sql authentication however I couldn't find anything relevant to my scenario in there. Any ideas on how others are dealing with this?
Have you looked at using Azure Active Directory and then integrated this with your Azure SQL Database? https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-aad-authentication-get-started
Related
Microsoft allows use of the Authentication command in Azure SQL to connect to the database using an Azure AD account.
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
Under heading 7.1. Connecting using integrated (Windows) authentication
How can I use this on an Azure App Service?
Note: I am specifically trying NOT to include the password as the next heading shows. I specifically want integrated.
If my understanding of the documentation is correct, you can achieve this yourself using Token Based authentication. It shouldn't require anything special from Azure App Service. See here for details and sample code:
https://blogs.msdn.microsoft.com/sqlsecurity/2016/02/09/token-based-authentication-support-for-azure-sql-db-using-azure-ad-auth/
The new token-based authentication method allows middle-tier services to obtain a token from Azure AD and use it to connect to Azure SQL Database.
Azure App Service machines are not part of your domain, so this isn't going to work. This was designed to let domain joined clients connect to SQL.
SQL Username/password is the only option left.
Update: see Chris Post about the new token based features
We are migrating an ASP.NET application onto Azure. Target state selected as Cloud Service Web role to host application component and Database onto Azure SQL/SQL Database. Currently the application is configured onto Kerberos in the source environment. Please let me know if Kerberos can be configured onto Target Environment without any issues.
Are they any specific steps to be done for Kerberos to work?
Yes, but you have to use Azure Active Directory. This method of authentication is in preview atm and only available for Azure SQL v12. There's possibly a lot of steps involved for your scenario from populating your Azure AD to setup your application. Check these references:
Integrating your on-premises identities with Azure Active Directory
Azure SQL Database security guidelines and limitations
Connecting to SQL Database By Using Azure Active Directory Authentication
I'm looking to setup AD for our company. We have developed a cloud based app that needs robust permissions abilities, which AD easily can handle. The app is bases out of Heroku which runs on AWS. I really need AD to manage logins and organizational hierarchy.
I'd like to use a cloud based service to act as the primary Domain controller and in the future, setup on-premise servers to provide local authentication to manage file/print and computer services. This is a secondary need to the authentication needs for our app.
Does anyone know if this architecture is possible? That is, a AD's DC in Azure with replicated services to other on-premise servers, at a later time? This seems to be the reverse of most setups in Azure. I'm ok with using other cloud services than Azure. It just seems they have the most documentation for cloud AD setups.
Any thoughts or help would be greatly appreciated.
Thanks,
AT
Although I wouldn't go for Cloud to be my primary DC, here are some guidelines which might help you:
Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines
Install a new Active Directory forest in Windows Azure
In order to fully validate your scenario, how do you think to join the Heroku computers to your domain controller? Because joining the server where your application runs will make the total sense of what you are trying to achieve.
If you just want to provide LDAP access from your application to the primary DC, and your app is not part of the Domain, then it makes no sense to install AD in Azure.
If you plan to just query the AD for organizational structure, I highly suggest that you take a look at the Windows Azure Active Directory and its Graph API. this is what you need, in the case you will not join any computers to the domain, because Windows Azure Active Directory is not a Domain Controller.
UPDATE
Please update your question with better description of simply to allow our Heroku based app to pull in the directory structure and login information to allow our users to authenticate to it. - I am afraid I can't really understand the application architecture and user login flow here.
Is it possible to use an Azure virtual machine as an Active Directory server with ADFS 2.0 and integrate it with ACS ?
Regards ,
James Roeiter
Having AD server (with RMS also) in cloud is an ask which I have heard time to time from Azure users and it sure is a great addition to have it running in Windows Azure or any cloud. Various organization's IT is asking the same as well however As of now with current Windows Azure it is not possible.
A few might suggest that using Windows Azure VM Role however, I would say that there are concern over that as well do to persistence and other issues so I would say it is not possible with Windows Azure VM Role as well and there are other issues related with Active Directory product as well to run in Cloud scenarios.
If I answer it directly, I would say as of now it is not supported and suggested scenario to have AD on Windows Azure and will not work due to various reasons.
You can now install AD on Azure in a persistent state. Its still preview but I have just got an standalone AD on a separate network on Azure. I haven't finished wiring up ADFS and ACS but given a little time to get my head around it and I will be there.
Why would you like to put your AD server in Azure? If it just for testing - you can. However the current state of Windows Azure only allows you to have a VM Role, which is Stateless. That means, you may prepare your VM with the AD, all configured for ACS and fill up with users. However you can't rely on any changes to be persisted (including password changed, user edits). VM Role is stateless, which means you will lose your changes once the role is recycled or rebooted, or healed.
So the final answer for the current Windows Azure offering would be - don't do that now, unless you want to just play around and see if it works.
** EDIT **
I am not an AD expert, what I managed to do and have an "in-house-virtualized" lab is to have ADFS on VM integrated with ACS. Another VM running Windows 7, which is domain joined to my AD. Then a web deployed application which leverage ACS with ADFS integration. Everything works fine.
As for storing AD data on external persistent storage - I don't know if it is possible, and how to configure that (already told you I am not AD expert). But if you know how to configure the storage for AD, and if you can store it in an SQL Azure, it is worth to give it a try.
And, finally, as Sandrino mentioned read the provided link to ZDNet's blog post, which has information you might find helpful.
I have a question on how we currently deploy applications on premises and how this would work in Azure.
So our on premises application is as follows:
We have a web application deployed on
our web server (WebAppExample1) that
talks to an application
(AppServerExample1) on our App
Server.
AppServerExample1 goes to our
database for data in Table1.
In our database the only application that
requires permission to Table1 is
AppServerExample1, so we create a DB
Role and grant appropriate
permissions. We associate this role
with an Active directory user
(AppServerExample1User) that
AppServerExample1 runs as.
How can this be done in Azure?
From looking at some samples I dont see anyone defining permissions at this level, which to me should be done (least privelage).
Also I believe you can not be an Admin in SQL Azure so does this mean you cannot create DB roles?
Thanks for replies
From everything I've read I believe you can create Roles in SQL Azure - e.g. see http://www.structuretoobig.com/post/2010/02/13/SQL-Azure-Logins.aspx
If you try and find you can't, then perhaps you could achieve this using users with different permissions rather than roles - see http://msdn.microsoft.com/en-us/library/ee336235.aspx#DatabasePerms
This database-level permission model in SQL Azure Database is same as
an on-premise instance of SQL Server.
For information, see the following
topics in SQL Server Books Online
references.
Identity and Access Control (Database Engine)
Managing Logins, Users, and Schemas How-to Topics
Lesson 2: Configuring Permissions on Database Objects