具有仅云的Azure Active Directory的SQL Azure集成身份验证失败 [英] SQL Azure Integrated Authentication with a cloud-only Azure Active Directory fails
问题描述
我创建了一个Azure租约并配置了以下内容:
I have created an Azure tenancy and configured the following:
使用以下方法对AD进行天蓝色:
- 一个简单的自定义域名(少于15个字符).经过DNS验证等.一切都很好.
- 用户和管理员组
- 两组用户
- VNET以及DNS和IP地址
- 已启用设备管理
- 启用域服务并连接到VNET
请注意,前提是没有任何东西,这一切都在云中.我的物理笔记本电脑被有效地用作跳线盒.
SQL Azure数据库和服务器,具有:
- 为所有必要的传入连接打开防火墙规则
- 设置为我在Azure AD中创建的Admins组的Active Directory管理员
- 所有AD用户都使用CREATE USER FROM EXTERNAL PROVIDER在SQL Azure中创建;
我可以使用Active Directory通用身份验证或Active Directory密码身份验证从笔记本电脑上的SSMS正常连接到SQL Azure数据库.对于这两种方式,我都会像预期的那样受到用户名和密码的挑战.
目标: 我希望能够使用集成身份验证,以便可以无缝地从a)一台计算机,b)一个ASP.NET MVC站点中传输身份.我还没有尝试过方案b,所以让我们停下来.对于方案a,我已执行以下操作.
Objective: I want to be able to use integrated authentication so that can seamlessly flow identity from a) A machine, b) A ASP.NET MVC site. I have not tried Scenario b yes, so let's park that. For scenario a, I have done the following.
配置了Azure VM:
Configured an Azure VM:
- 标准D2-Windows 10完全修补
- 连接到与域相同的VNET
- 已安装SQL Server Management Server 2016(SSMS)(最新和已修补-13.0.15700.28)
- 已安装ODBC 13.1(尽管我认为这无关紧要)
- ADAL
- IT专业人员RTW的Microsoft在线服务登录助手
简而言之,我的完整环境"由一个Azure AD,一个SQL Azure DB和一个客户端VM组成.
问题: 我使用目录服务将VM加入到我的Azure Active Directory中,注销并以有效的域用户身份登录(在AD和SQL Azure中有效,并具有适当的登录名和权限).当我打开SSMS时,我可以使用Active Directory通用身份验证或Active Directory密码身份验证正常连接,但是当我尝试使用Active Directory身份验证安全性连接时,出现以下错误.如果我将VM直接加入Azure AD,也会发生这种情况.我的部署是100%的云,因此没有联合身份验证.
Problem: I join the VM to my Azure Active Directory using Directory Services, sign out and log in as a valid domain user (valid in AD and SQL Azure with appropriate logins and permissions). When I open SSMS I can connect fine with Active Directory Universal Authentication or Active Directory Password Authentication but when I try connect with Active Directory Authenticated Security, I get the error below. This also happens if I join the VM directly to Azure AD. My deployment is 100% cloud, so there is no federation in place.
所以我有两个问题:
- 我是否在配置或方法中缺少某些东西,或者可以解决? 这可能是一个现有问题-参见此处
- 如果使用C#在.net 4.6.2中进行编码并部署在云中,则这种连通性(传递)是否有效?可能使用ODBC 13.1驱动程序吗?
谢谢
==================================
===================================
无法连接到.database.windows.net.
Cannot connect to .database.windows.net.
==================================
===================================
无法通过身份验证用户NT Authority \ Active中的匿名登录 目录(Authentication = ActiveDirectoryIntegrated).错误代码 0xCAA9001F;状态10仅支持集成Windows身份验证 在联邦流中. (.Net SqlClient数据提供程序)
Failed to authenticate the user NT Authority\Anonymous Logon in Active Directory (Authentication=ActiveDirectoryIntegrated). Error code 0xCAA9001F; state 10 Integrated Windows authentication supported only in federation flow. (.Net SqlClient Data Provider)
------------------------------如需帮助,请单击:
------------------------------ For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=0&LinkId=20476
------------------------------服务器名称:.database.windows.net错误编号:0严重性:11状态:0 过程:ADALGetAccessToken
------------------------------ Server Name: .database.windows.net Error Number: 0 Severity: 11 State: 0 Procedure: ADALGetAccessToken
------------------------------程序位置:
------------------------------ Program Location:
在
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity
身份,SqlConnectionString connectionOptions,SqlCredential
凭证,对象providerInfo,字符串newPassword,SecureString
newSecurePassword,布尔型redirectedUserInstance,SqlConnectionString
userConnectionOptions,SessionData reconnectSessionData,
DbConnectionPool池,字符串accessToken,布尔值
applyTransientFaultHandling)
System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions
选项,DbConnectionPoolKey poolKey,对象poolGroupProviderInfo,
DbConnectionPool池,DbConnection owningConnection,
DbConnectionOptions userOptions),网址为
System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection
owningConnection,DbConnectionPoolGroup,poolGroup,DbConnectionOptions
userOptions)
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection
owningConnection,TaskCompletionSource 1 retry, DbConnectionOptions
userOptions, DbConnectionInternal oldConnection, DbConnectionInternal&
connection) at
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection
outerConnection, DbConnectionFactory connectionFactory,
TaskCompletionSource
1重试,DbConnectionOptions userOptions)位于
System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection
externalConnection,DbConnectionFactory connectionFactory,
TaskCompletionSource 1 retry, DbConnectionOptions userOptions) at
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource
1
重试)
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1
重试)在System.Data.SqlClient.SqlConnection.Open()在
Microsoft.SqlServer.Management.SqlStudio.Explorer.ObjectExplorerService.ValidateConnection(UIConnectionInfo
ci,IServerType服务器)位于
Microsoft.SqlServer.Management.UI.ConnectionDlg.Connector.ConnectionThreadUser()
at
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity
identity, SqlConnectionString connectionOptions, SqlCredential
credential, Object providerInfo, String newPassword, SecureString
newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString
userConnectionOptions, SessionData reconnectSessionData,
DbConnectionPool pool, String accessToken, Boolean
applyTransientFaultHandling) at
System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions
options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo,
DbConnectionPool pool, DbConnection owningConnection,
DbConnectionOptions userOptions) at
System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection
owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions
userOptions) at
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection
owningConnection, TaskCompletionSource1 retry, DbConnectionOptions
userOptions, DbConnectionInternal oldConnection, DbConnectionInternal&
connection) at
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection
outerConnection, DbConnectionFactory connectionFactory,
TaskCompletionSource
1 retry, DbConnectionOptions userOptions) at
System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection
outerConnection, DbConnectionFactory connectionFactory,
TaskCompletionSource1 retry, DbConnectionOptions userOptions) at
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource
1
retry) at
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1
retry) at System.Data.SqlClient.SqlConnection.Open() at
Microsoft.SqlServer.Management.SqlStudio.Explorer.ObjectExplorerService.ValidateConnection(UIConnectionInfo
ci, IServerType server) at
Microsoft.SqlServer.Management.UI.ConnectionDlg.Connector.ConnectionThreadUser()
推荐答案
从Azure支持获得更新:
Got an update from Azure Support:
它不起作用是因为:
- 要使用Active Directory集成身份验证,必须联合Azure Active Directory.这是因为必须执行Kerberos(登录到计算机时生成的Kerberos TG票证),但是Azure AD不知道Kerberos,因此需要ADFS.
- Azure AD域服务预览:这使旧功能(NTLM,Kerberos等)可用.但是Azure SQL数据库不支持老式的Windows身份验证.
因此,您可以添加2-3个低功耗VM来实现AD + ADFS + AAD + AAD-DS,但这绝对不是理想的方法.
So, you could add 2-3 low power VM's to achieve AD + ADFS + AAD + AAD-DS but that's definitely not the ideal way.
如果我获得有关未来计划的信息,请在此处分享.
If I get information on future plans, I'll share them here.
**
有相同的问题和一些待售票.一旦获得其他信息,便会更新此答案.
Have the same issue and some open tickets. Will update this answer once I get additional information.
从今天开始,仅支持 ADFS设置使用AD Connect.
As of today, only a federated setup is supported as documented here. You have to establish an ADFS setup using AD Connect.
这是AAD-DS应该为纯云解决方案提供的. AAD-DS仍在预览...
That's something AAD-DS should provide for a cloud-only solution. AAD-DS is still preview...
这篇关于具有仅云的Azure Active Directory的SQL Azure集成身份验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!