I have an app that lets users authenticate with LDAP. In order to test it I wanted to deploy it on a cloud virtual machine and connect it to an Azure Active Directory instance.
I was trying to follow this and this guide. The steps I have taken:
Create a virtual network in Azure.
Create an Active Directory in Azure.
Activate ENABLE DOMAIN SERVICES FOR THIS DIRECTORY option.
Upload a self-signed certificate setup for *.mydomainname.onmicrosoft.com.
Activate ENABLE SECURE LDAP ACCESS OVER THE INTERNET.
At this moment I suppose that I should be able to connect to the Ldap server with the IP provided in Azure as EXTERNAL IP ADDRESS FOR LDAPS ACCESS. Unfortunately, I have failed trying to connect to it with Apache Directory Studio.
What additional steps should I take?
The secure LDAP is on port 636, try that one instead.
Related
Scenario: We have an Azure cloud environment that contains three (Prod,Test,Dev) PaaS database servers (PostgreSQL Flexible Servers). Each server exists in its own VNet. The SQL data tables found in each server contain sensitive information. Let's say we require an external user (eg. a contractor, consultant) to access the data tables in a secure way, with MFA enabled. What would be a secure & simple way of enabling this?
Some options I can think of:
Share database server credentials with external user (high risk of credentials being misplaced. No MFA option?):
Whitelist user IP address against Azure firewalls
Send PaaS server credentials to external user via email or SMS.
They connect using an SQL client on their machine.
External user to use VM via Bastion:
Add external user to Azure AD
Turn on MFA for user in AD
Create VM in Azure, with SQL client software installed (ie. pgAdmin for PostgreSQL)
Configure access to the 3 PaaS servers (Prod, test, dev) from the VM
Set up Bastion server with access to VM
Enable user to access VM via Bastion server
Second option incurrs extaa costs for the VM and Bastion of course. Are there any other methods I should consider?
I have setup an Azure VNet and a Point to Site VPN using the OpenVPN tunnel to maintain use of the Azure AD username and password for login.
I have sample .ovpn config files but they all require certificates, beyond what is provided by Azure.
Azure provides me with the following three files:
AzureVPN\azurevpnconfig.xml
Generic\VpnServerRoot.cer
Generic\VpnSettings.xml
How should I go about using these files to configure a .ovpn document allowing me to connect to this VPN using my MacBook?
My understanding is that the certs aren't needed since we're using a username and password to login? The downloaded VpnServerRoot.cer doesn't import to the OS Keychain...
Thank for any pointers!
Unfortunately, currently, MAC OS client is not available for connecting Azure point to site VPN with Azure AD authentication. The table below shows the client operating systems and the authentication options that are available to them. Refer to https://learn.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support
With using the OpenVPN tunnel, you can select RADIUS and Azure Certificate authentication for your MAC OS X clients. For Mac clients, Read Configure OpenVPN clients for Azure VPN Gateway.
Only iOS 11.0 and above and MacOS 10.13 and above are supported with
OpenVPN protocol.
and Create and install VPN client configuration files for native Azure certificate authentication P2S configurations.
I'm trying to access on-prem resources (file share on a file server) via Azure, but I'm stuck and don't know how to continue.
On Prem: 1 Domain Controller and 1 File Server (Server 2019 Std). Both are joined to a local domain. The DC runs Azure AD Connect for sync.
Client: Laptop running Windows 10, joined to the Azure AD. Is in a different network.
Goal: Laptop should access the file share.
For sure I just could use a VPN or smth, but I'm trying to learn a bit Azure.
I'm referring to the following Microsoft Website: https://learn.microsoft.com/en-us/microsoft-365/business/access-resources
"You can also allow access to on-premises resources like line of business (LOB) apps, file shares, and printers. To allow access, use Azure AD Connect to synchronize your on-premises Active Directory with Azure Active Directory."
I dont think those are related at all. Network path must exist between your laptop and the file share. And the Azure AD Connect can help you with authentication\authorization, not with establishing the network connection. You should use VPN to establish network connectivity and you can use Azure AD Connect to sync identities to be able to use the same identity to access resources in the cloud\on-premises
Is there a way to connect from a web app (azure app service) to a SQL Server VM in Azure using Windows authentication? I'm not exactly sure if I need to impersonate or if the app needs to run under the identity that has access to the DB on the SQL Server.
I believe that you can do this - but you will need to share a Active Directory between the two - or have then in a private network together so that they are in the same broadcast subnet.
If you need to use your own Active Directory the create a network and a VPN to your site.
If you don't need to use Active Directory then use SQL Auth.
Looks like it is not possible, although it may be with Azure SQL. But not a VM running MSSQL. Ref links below.
SQL Server Integrated Security from an Azure Web Site
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
On a project I’m working on at my current job, we need to enable the RDP on azure web role. I've enabled the RDP but client is not being able to connect. We confirmed RDP port is opened as well.
Doesn't client needs to install certificate on his/her machine as well?
No the client doesn't need to install a certificate on their machine. When you deploy a cloud service from Azure you can opt to have an RDP account created at the point of deployment, this will automatically configure the endpoints for 3389 on the instance. Are you sure the client is using the correct case on the password and has their firewall open on 3389?
No it does not. If you're having problems try to download the assistant file that will set up everything BUT your firewall, leaving you to just hit "Connect"