0

Connection works fine following this tutorial when using:

var connection = (SqlConnection)Database.GetDbConnection();
connection.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;

But now the docs say "Microsoft.Azure.Services.AppAuthentication is no longer recommended"

So changing my connection as described in Using Azure Active Directory authentication with SqlClient I get the following errors:

Integrated Windows Auth is not supported for managed users.

Tried to get token using Managed Identity. Access token could not be acquired. A socket operation was attempted to an unreachable network. (169.254.169.254:80)

Nothing is blocking that address, but also where is it getting that IP from? The tutorial's code used https://database.windows.net/ to get the token (which resolves 65.55.23.107).

Can/should I override that address somewhere?
Any other config missing?

Improve this question
2
  • If you used azure sql server, I think you need to check if you've added ip in the server firewall(azure portal go to your database->click Set server firewall). Another point is to check if you've set the ad admin of sql server Commented Mar 19, 2021 at 9:17
  • Doubt it's a firewall issue if connection works from SSMS and using the tutorial's code Commented Mar 19, 2021 at 9:38

1 Answer 1

Reset to default
1

These auth ways apply to different scenarios, for example, if you want to use Active Directory Integrated authentication, you need to federate the on-premises AD with Azure AD via ADFS, if you want to use Active Directory Managed Identity authentication, you must run your code in an Azure service which supports MSI(need to enable MSI first), because the code essentially makes an API call to the azure instance metadata endpoint to get the access token, then use the token to auth, it is just available in the MSI-supported service.

So if you want to migrate the code from the old sdk to the new one, you need to choose the correct auth way that applies to your scenario. Here I recommend you to use the Active Directory Service Principal authentication, it can apply to any scenario, please follow the steps below.

1.Register an application with Azure AD and create a service principal.

2.Get values for signing in and create a new application secret.

3.Grant the permission to the service principal with CREATE USER [Azure_AD_Object] FROM EXTERNAL PROVIDER.

4.Then use the code here, fix the values with yours and got from step 2.

string ConnectionString = @"Server=demo.database.windows.net; Authentication=Active Directory Service Principal; Database=testdb; User Id=AppId; Password=secret";

using (SqlConnection conn = new SqlConnection(ConnectionString)) {
    conn.Open();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thanks Joy - Ideally I'd want to keep away from passwords/secrets (which I see as the main benefit of using AAD auth). I will look into the ADFS, think that might be the key.
Regarding the Managed Identity auth... Is that http://169.254.169.254/... endpoint only accessible from inside Azure? And no way to configure that address?
@JvR Well, if you can set ADFS, it is also ok. Yes, the endpoint is just accessible in azure, it is named azure instance metadata endpoint, no way to configure it.
That's a ridiculous breaking change! So my environment has to change to accommodate the new package that has some hardcoded IP address that HAS to be in Azure?!
I wish I wasn't... haha anyway I've created an issue here. Will update this post on more feedback.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.