onprem计算机到Azure Active Directory,以便我们可以访问ActiveDirectoryMSI身份验证以及IMDS SERVER [英] onprem machines to Azure Active Directory so we can access ActiveDirectoryMSI authentication as well as IMDS SERVER
问题描述
我们希望将AzureSqlServer与ActiveDirectoryMSI身份验证以及基于令牌的身份验证和我们能够从在Azure网络中创建并添加为Azure AD组成员的VM成功执行.为此,我们通过点击链接创建了包含的用户"
We want to use AzureSqlServer with ActiveDirectoryMSI authentication as well as token-based authentication and We are able to execute successfully from VM created in Azure network and added as a member of the Azure AD group. For that, we have created Contained user by following the link
并将虚拟机添加为AzureActiveDirectory的一部分通过点击此链接
And added the VM as part of AzureActiveDirectory by following this link
com.microsoft.sqlserver.jdbc.SQLServerException:MSI令牌失败:无法从MSI端点获取令牌
并且我们能够使用IMDS服务器访问SQL数据而无需提供用户名和密码,并且能够使用
And we are able to access the SQL data without providing username and password using both IMDS server and able to retrieve the token using http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fdatabase.windows.net%2F
和
ActiveDirectorMSIURIString jdbc:sqlserver://azuresqlserverNAME:1433; databaseName = DatabaseNAME; Authentication = ActiveDirectoryMsi;
ActiveDirectorMSI URIString jdbc:sqlserver://azuresqlserverNAME:1433;databaseName=DatabaseNAME;Authentication=ActiveDirectoryMsi; .
但是从Onprem Windows/Linux/Mac计算机访问时,我们无法访问Azure SQL服务器
But when it comes to access from Onprem Windows/Linux/Mac machine we are not able to access Azure SQL server
有人可以就本地部署向我提出建议吗,以便我们可以通过ActiveDirectoryMSI身份验证和基于令牌的身份验证来访问AzureSqlServer?
Can someone please suggest to me in terms of on-prem what needs to be done so we can access AzureSqlServer with ActiveDirectoryMSI Authentication as well as token-based authentication?
推荐答案
根据我的测试,如果要连接Azure SQL本地计算机,请参考以下步骤
According to my test, if you want to connect Azure SQL on-premise machine, please refer to the following steps
- 创建服务主体
az ad sp create-for-rbac -n 'name' --skip-assignment
-
Set environment variable. Please set the following variable as the environment variable
AZURE_TENANT_ID: ID of the service principal's tenant. Also called its 'directory' ID. AZURE_CLIENT_ID: the service principal's client ID AZURE_CLIENT_SECRET: one of the service principal's client secrets- SDK
<dependency> <groupId>com.azure</groupId> <artifactId>azure-identity</artifactId> <version>1.0.7</version> </dependency> <dependency> <groupId>com.microsoft.sqlserver</groupId> <artifactId>mssql-jdbc</artifactId> <version>8.2.2.jre8</version> </dependency>- 代码
public static void main( String[] args ) { AccessToken token= GetAccessToken(); SQLServerDataSource ds = new SQLServerDataSource(); ds.setServerName("<>.database.windows.net"); // Replace with your server name. ds.setDatabaseName("demo"); // Replace with your database name. ds.setAccessToken(token.getToken()); try (Connection connection = ds.getConnection(); Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery("SELECT SUSER_SNAME()")) { if (rs.next()) { System.out.println("You have successfully logged on as: " + rs.getString(1)); } } } public static AccessToken GetAccessToken() { DefaultAzureCredential creds = new DefaultAzureCredentialBuilder() .build(); TokenRequestContext request = new TokenRequestContext(); System.out.println("444"); request.addScopes("https://database.windows.net//.default"); String token; AccessToken accesstoken=creds.getToken(request).block(); return accesstoken; }这篇关于onprem计算机到Azure Active Directory,以便我们可以访问ActiveDirectoryMSI身份验证以及IMDS SERVER的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
