I have created a C# app with an MSOL authentication prompt. This auth prompt authenticates the user to my app and to my Asana integration. This works fine.
I now need to give my app permissions to access SQL databases in my Azure App Registration, but I can't find the API listed in the "Request API Permissions" section.
Does anyone know how I am supposed to grant my app access to SQL? Currently I get an error from my app stating that it does not have access to the database. I have already set my AAD account as an admin of the DB but I still cannot access it.
Edit: This is the problem I am facing. Should be an option for SQL server.
Figured it out.
For the Azure SQL Database option to show in the API Permissions you first need to create an Azure SQL Database and add yourself as either an admin or user and then login to that database via SQL Server Management Studio using Azure AD Credentials.
Once you have done that, the API still will not show without manually searching for "Azure SQL Database".
Microsoft should really make this stuff clear in their documentation.
Related
I have an app service in Azure operating as an API for a system I'm designing. As the API is responsible for accessing the database directly, I obviously don't want to be storing connection strings containing credentials anywhere if possible, so am looking to use Managed Identities to grant the App Service access to the database (also hosted on Azure).
Within the Azure portal, I've enabled System-Assigned Identity within the Settings section of the App Service, then given the service the role of owner of the SQL Server via SQL Server -> Access Control -> Role Assignments-> Add.
As I understand it, Active Directory Users shouldn't even come into this as they are user-assigned identities rather than system-assigned identities, and take more setting up (or storing their credentials in the connection string).
As for the code, it's pretty much a carbon copy of this >> https://github.com/medhatelmasry/JwtAuthentication, the only differences being that I've added
services.BuildServiceProvider().GetService<ApplicationDbContext>().Database.Migrate();
to the end of the ConfigureServices method within Startup.cs, and added the below to the constructor of ApplicationDbContext as per Microsoft's instructions:
var conn = (System.Data.SqlClient.SqlConnection)Database.GetDbConnection();
conn.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;
When attempting to run this service in Azure, however, I get an exception when calling services.BuildServiceProvider().GetService<ApplicationDbContext>().Database.Migrate();:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
I've tried StackOverflow, MSDN, Azure Help, Pluralsight and whatever random forums turn up from Google, and not managed to find an answer on any of them. I've only just got through a whole week of staying up until stupid o'clock every day trying to fix connection string configurations only to find Azure was changing the name of the connection string parameter that I was giving it and not saying a word about it (and nothing in any Microsoft documentation about it either).
Azure is becoming a serious pain in my ass, I haven't even started adding endpoints to the API yet, let alone creating an actual application to use it, this is ridiculous.
Eventually found the answer here >> https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql#create-a-contained-user-in-the-database-that-represents-the-vms-system-assigned-identity
The App Service was indeed set as an owner of the server, but hadn't had a user provisioned on the database, so my problem was resolved by logging into the database via SSMS and running:
CREATE USER [My App Service Name] FROM EXTERNAL PROVIDER
then:
ALTER ROLE db_owner ADD MEMBER [My App Service Name]
However, I removed the ownership role of the App Service on the server's Access Control (IAM) page, and am still able to connect successfully, not sure why that is but this is probably just a lack of SQL user knowledge on my part. It actually suits me as at the moment my App Service has a provisioned SQL user with db_owner role assigned on the database itself, but not on the overall server.
From my understanding you have to go through the prerequisite process of creating, enabling and allowing Azure AD users and also setting SQL Admin to an Azure AD user.
There's a pretty comprehensive guide here including creating, accessing and using tokens for Managed Identities Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
I have an App Service that connect to an Azure SQL. The App Service and Azure SQL is stored in same resource group and I already enabled MSI and I already provided access in SQL for the Azure AD Group that was created. In my code when I tried to open a conenction to the sql. I get the following error
Cannot open server "[servername]" requested by the login. The login failed.
I can see that I am getting an access token
You need to add Azure App service in your Azure SQL in access control (IAM).
Navigate to your Azure SQL and locate Access Control(IAM). On IAM, click on add role assignment and Provide Role as 'Contributor' and Principal as 'Your App Service'. Save the changes.
Now app service will be able to Authenticate itself to SQL database.
right now I am working on a project with .Net CORE c# and entity framework database and I get an error
SqlException: Windows logins are not supported in this version of SQL
Server.
I followed a tutorial and I think I did everything fine...
The only difference is that I have my database hosted on Azure, it should matters?
Here is my connection string
"DefaultConnection": "Server=firstdb123.database.windows.net;Database=TestDB;Trusted_Connection=True;MultipleActiveResultSets=true",
Here is a picture with my database
I have my EmployeesController and my EmployeeContext made by visual studio so it should be right.. but I don't know why it dose not work
Any help would be awesome
See that Trusted_Connection=True; bit in your your connection string? That's a Windows shortcut that allows you to bypass the normal username/password credentials on a server.
You need to create secure Azure login, then use that to specify the connection string.
This page shows how a connection string is created in the various different SQL version.
You can connect to the Azure SQL using the Active Directory Integrated authentication as it is documented.
Connection string should be like
connectionString="Server=servername.database.windows.net,1433;Initial Catalog=DatabaseName;Authentication='Active Directory Integrated'"
Windows Logins of SQL Server:
When a user connects through a Windows user account, SQL Server validates the account name and password using the Windows principal token in the operating system. AS your SQL Database is hosted in azure, we must ensure that your SQL Database and your .Net Core Application are in same Domain when use Windows Logins to connect to SQL Server.
More information about Windows Authentication, we can refer to: Connecting Through Windows Authentication
To Solve your problem, we can use SQL Server Authentication by pass the user name and password.
We can set the User Name and Password at portal as below:
And we can get connection String at portal as below:
Then we can use this connection string in Entity Framework or ADO.NET code.
It does matter that the database is hosted on Azure, because Azure doesn't have access to your windows account and can't verify that you are logged in with a windows account.
You could use the Server admin, but that is not very secure when you are going to run things in production.
Members of the sysadmin fixed server role can perform any activity in the server.
https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-2017
To solve this you could create a database user by using:
CREATE USER [{username}] WITH PASSWORD=N'{password}'
Execute this on the database you need access to.
After creating the user you have to give it some permissions:
EXEC sp_addrolemember 'db_datareader', [{username}];
'db_datareader' gives the user read-only permissions on the database. Maybe this is not enough for your user, then you van give it some more permissions by executing the statement again with another database role. More about the database roles: https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-2017
For Azure SQL databases it is not possible to do this via SQL Server Management Studio. More information about this:
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-manage-logins
https://www.mssqltips.com/sqlservertip/5242/adding-users-to-azure-sql-databases/
Use this user in your connection string:
"DefaultConnection": "Server=firstdb123.database.windows.net;Database=TestDB;User Id={username};Password={password};MultipleActiveResultSets=true"
I hope this helps you.
In my ASP.NET MVC application, I have enabled authentication using Microsoft and Google accounts. They both are working fine. i.e., I am able to login to my application using my hotmail and gmail both accounts.
Once logged in (say, using Microsoft account), I am able to see following screen as well.
I am able to change the password. While all this works fine, I am quite unsure where all this information is getting stored? In previous editions, I was able to see External Provider mapping tables getting created automatically in the database. However, in this instance, database has no table, which makes me believe that this mapping is getting stored somewhere else.
Can someone please shed lights on this?
P.S. - I am using SQL Server 2016 Express edition, and have no other authentication enabled for this application (i.e., there is no Forms authentication as well). Only, Google and Microsoft logins are accepted.
Also, System.Web.Mvc in my application is of version - 5.2.3.0
They are stored in the AspNetUserLogins table.
Created Azure Database and Azure Site. Used the connection string provided by the Azure Site and filled in the password. When i try access the database through the application an error is returned
Login failed for user 'stefan'. System.Data.SqlClient.SqlException: Login failed for user 'stefan'
This session has been assigned a tracing ID of '6ee9a27b-4be7-494b-aadd-7b05a8a3bddb'. Provide this tracing ID to customer support when you need assistance.
if you visit http://clickpc.azurewebsites.net/ can see the error for your self.
I may believe that access is denied in sql IP configuration for the IP of the connecting node
I allowed connections from Azure to the database but seems like still access denied
This error indicates that your username/password is incorrect. If this was due to a Firewall issue, you would have gotten an error message stating something like this:
Firewall check failed. Cannot open server 'XXXXXXXXX' requested by the
login. Client with IP address 'XXXXXXXXX' is not allowed to access the
server. To enable access, use the SQL Azure Portal or run
sp_set_firewall_rule on the master database to create a firewall rule
for this IP address or address range. It may take up to five minutes
for this change to take effect.
Typically, SQL Azure usernames are part username and part server name, like so: stefan#xxxxxxx
Please ensure that you've specified correct SQL Azure username and password
Managing logins in the SQL Azure world are unfortunately difficult. For example, SQL Server Management Studio doesn't let you add new logins and users via the GUI. Things have to be done using T-SQL.
To start, when you first created the database using the Azure Portal, did you use Stefan as the login name? That is important because Stefan becomes takes on the dbo database role (admin). Otherwise, you need to create new users and assign permissions.
Second, in the Azure Portal, locate your database and click on manage. Try to login on via that webpage using Stefan. If that doesn't work then you have the wrong username or password. If it does work, open up Management Studio and connect to your SQL Azure db, using Stefan. Then use this Microsoft guide to troubleshoot: Managing Databases and Logins in Windows Azure SQL Database