I am having a windows client application connecting directly to a SQL server.
I am using SQL server authentication now, but I want to replace that for improved security. (I don't want to deploy the credentials together with the application)
I want to use Azure AD to provide access to the app (and forwarding the access token to the DB)
My desired setup would look like:
I have a Azure AD app registration (service principal).
- I assign permission to use the application individually --> Enterprise App --> User assignment required --> Yes
- I give permission to the app (service principal) on the SQL database.
- What I can do now is to access the DB as the logged in user (API permission Azure SQL Server --> user_impersonation), but that means, that I have to give access to all individual users directly on the DB.
I would like to access the DB as the application.
Is this possible, and if yes, how?
Now, I am able to use ADAL to connect as the service principal to the DB, but then I have to create a client secret for the service principal and deploy that together with the application --> not secure. Or I can use MSAL with user_delegation and access the DB as the logged-in user but that means that I have to give him direct access to the DB and he can access it in another way as just with the application (i.e. in MSSMS).
Looks like what you want to use is a managed identity.
There's a tutorial here: https://learn.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi
I should warn you this managed identity feature is new-ish and you need to be careful what version of .Net framework your application is using. Some Azure App Service and other ressources are not yet updated to a .Net framework that supports managed identities (Last I know).
Related
I am creating .Net Core 5 windows service (using worker process template) which has azure SQL DB implementation.
I have a requirement to create a SQL connection string without userid and password.
I know there is something called Managed Identities however so far I read it only talks about
achieving this for azure APP services. Could not find any example with .Net Core worker service
As I am creating windows service and it will be deployed in multiple VMs how to create connection string without userid and password?
On workaround try with these
1) Azure AD token, Use the Azure Active directory for Azure SQL Server Authentication
This authentication method allows middle-tier services to obtain JSON Web Tokens (JWT) to connect to the database in SQL Database, the SQL Managed Instance, or Azure Synapse by obtaining a token from Azure AD. This method enables various application scenarios including service identities, service principals, and applications using certificate-based authentication. You must complete four basic steps to use Azure AD token authentication:
Register your application with Azure Active Directory and get the
client ID for your code.
Create a database user representing the application.
Create a certificate on the client computer runs the application.
Add the certificate as a key for your application.
Example:
string ConnectionString = #"Data Source=n9lxnyuzhv.database.windows.net; Initial Catalog=testdb;";
SqlConnection conn = new SqlConnection(ConnectionString);
conn.AccessToken = "Your JWT token";
conn.Open();
For more details refer this document: https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell
2)
Try with the storing the connection string(sensitive information ) in Azure Key Vault and retrieving it dynamically for establishing database connection.
For more details refer this document :
https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app
I recommend that you follow these steps.
Set up managed identity on your VMs
Create a managed identity on each of the VMs.
Grant these managed identities access to the Azure SQL database by creating a contained database user, and assigning the right permissions to these users.
See this documentation page, up to and including the "Create contained user" section.
Leverage managed identity from your application
The recent versions of the .NET SQL driver, Microsoft.Data.SqlClient, can handle the process of acquiring a token from Azure Active Directory and using it during the SQL queries. This replaces the common authentication method of using a username and password in the connection string.
This means that as a consumer, you don't need to deal with the token acquisition process, nor the caching or the renewal of the tokens.
A couple of resources to do this:
Official Microsoft documentation: https://learn.microsoft.com/en-us/sql/connect/ado-net/sql/azure-active-directory-authentication?view=sql-server-ver15.
A blog post I wrote showing how to leverage the newer versions of Microsoft.Data.SqlClient: https://mderriey.com/2021/07/23/new-easy-way-to-use-aad-auth-with-azure-sql/.
I am trying to develop a concept to support multiple authentication methods in an ASP.NET core server environment which should support both Windows (WPF) clients as well as Web clients (Angular). Users should be able to login using three methods:
using username & password, which is checked against database of valid logins
using Windows authentication (i.e. the currently logged in user). This may require user PC and server to be on the same network/domain
using selected external authentication providers, such as Google
Users should have individual rights (claims), which either derive from their individual profile or group membership (e.g. in case of AD).
I am still at the concept phase, trying to figure out the basics here, so no code has been written yet.
My thinking is as follows:
users logging in using username & password receive a token (JWT) of some sort which then authorizes them to access protected/restricted calls.
users logging in using their Windows identity would basically receive the same token
users logging in via external auth-providers would receive the external token from the provider and use that to login and also receive an token from the server
regardless of 1-3, users end up with a server-issued token that gives them access to restricted features
Is that a common/correct approach for mixed authentication? If so, how would this be implemented on the ASP.NET core server side?
I am trialling Azure B2C Customer Preview and have configured a new application, set up policies e.t.c and I now want to write some integration tests that use a non-interactive flow to connect and interact with my protected WebApi services.
However, I have just read the following quote:
Daemons/Server Side Apps
Apps that contain long running processes or that operate without the
presence of a user also need a way to access secured resources, such
as Web APIs. These apps can authenticate and get tokens using the
app's identity (rather than a user's delegated identity) using the
OAuth 2.0 client credentials flow.
This flow is not currently supported by Azure AD B2C - which is to say
that apps can only get tokens after an interactive user flow has
occurred. The client credentials flow will be added in the near
future.
from this link which suggests that what I am trying to do is not yet possible. Can anyone from the Azure team tell me whether this information is up to date, and better yet a rough timescale for delivery on this feature?
I am trying to create a cross-platform app that allows a user to login to Azure Management Portal using his Live ID and manage his services. I know that the REST API can be used to access the Management portal.
But I am not sure how to implement the authentication part of it. I have gathered that to authenticate, the user has to upload a X.509 certificate for every request (if it is done by REST) or he has give info like subscription id, domain name etc. and also create a new application in the Active Directory of the Management portal using ADAL library.
But the user isn't expected to do this. Is there anyway to access the Management portal using ONLY the Live ID and password the user provides. Another dilemma I have is whether authentication can be implemented in a portable class library. The required classes for X.509 certificate are not accessible in a PCL. So, does authentication need to implemented for every platform separately?
I have an existing Web Site hosted on Azure that works with Azure Cloud services. I am now trying to integrate it with ACS for Identity Management. When attempting to configure through the Identity and Access Manager, I only have 2 options:
Use the Local Development STS to test your application
Use a business identity provider (e.g. Windows Azure Active Directory, ADFSv2)
However, I need the 3rd option that is typically available: "Use the Windows Azure Access Control Service". I've created new web sites in the exact same format, and have that option. But for some reason with this existing one it does not show up.
Is there anything in particular in my configuration settings that might not be allowing this?
Did you created any identity provider?
Please check the following article to get more detail :
http://blog.tomasjansson.com/configuring-windows-azure-active-directory-access-control