使用 Azure Active Directory 的 Azure SQL 身份验证
Azure SQL authentication using Azure Active Directory
使用 this tutorial 后连接工作正常:
var connection = (SqlConnection)Database.GetDbConnection();
connection.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;
但是现在the docs说Microsoft.Azure.Services.AppAuthentication不再推荐
因此,按照 Using Azure Active Directory authentication with SqlClient 中的说明更改我的连接,我收到以下错误:
Integrated Windows Auth is not supported for managed users.
Tried to get token using Managed Identity. Access token could not be acquired. A socket operation was attempted to an unreachable network. (169.254.169.254:80)
没有任何东西阻止该地址,但它从哪里获得该 IP?本教程的代码使用 https://database.windows.net/ 获取令牌(解析为 65.55.23.107)。
Can/should 我在某处覆盖了那个地址?
是否缺少任何其他配置?
这些授权方式适用于不同的场景,比如你想使用Active Directory Integrated authentication, you need to federate the on-premises AD with Azure AD via ADFS, if you want to use Active Directory Managed Identity authentication, you must run your code in an Azure service which supports MSI(need to enable MSI first), because the code essentially makes an API call to the azure instance metadata endpoint获取access token,然后使用token进行授权,只在MSI支持的服务中可用。
因此,如果您想将代码从旧的sdk 迁移到新的sdk,您需要选择适用于您的场景的正确授权方式。这里我推荐大家使用Active Directory Service Principal authentication,它可以适用于任何场景,请按以下步骤操作。
1.Register an application with Azure AD and create a service principal.
2.Get values for signing in and create a new application secret.
3.Grant the permission to the service principal 与 CREATE USER [Azure_AD_Object] FROM EXTERNAL PROVIDER.
4.Then 使用代码 here,使用您从第 2 步获得的值修正值。
string ConnectionString = @"Server=demo.database.windows.net; Authentication=Active Directory Service Principal; Database=testdb; User Id=AppId; Password=secret";
using (SqlConnection conn = new SqlConnection(ConnectionString)) {
conn.Open();
}
使用 this tutorial 后连接工作正常:
var connection = (SqlConnection)Database.GetDbConnection();
connection.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;
但是现在the docs说Microsoft.Azure.Services.AppAuthentication不再推荐
因此,按照 Using Azure Active Directory authentication with SqlClient 中的说明更改我的连接,我收到以下错误:
Integrated Windows Auth is not supported for managed users.
Tried to get token using Managed Identity. Access token could not be acquired. A socket operation was attempted to an unreachable network. (169.254.169.254:80)
没有任何东西阻止该地址,但它从哪里获得该 IP?本教程的代码使用 https://database.windows.net/ 获取令牌(解析为 65.55.23.107)。
Can/should 我在某处覆盖了那个地址?
是否缺少任何其他配置?
这些授权方式适用于不同的场景,比如你想使用Active Directory Integrated authentication, you need to federate the on-premises AD with Azure AD via ADFS, if you want to use Active Directory Managed Identity authentication, you must run your code in an Azure service which supports MSI(need to enable MSI first), because the code essentially makes an API call to the azure instance metadata endpoint获取access token,然后使用token进行授权,只在MSI支持的服务中可用。
因此,如果您想将代码从旧的sdk 迁移到新的sdk,您需要选择适用于您的场景的正确授权方式。这里我推荐大家使用Active Directory Service Principal authentication,它可以适用于任何场景,请按以下步骤操作。
1.Register an application with Azure AD and create a service principal.
2.Get values for signing in and create a new application secret.
3.Grant the permission to the service principal 与 CREATE USER [Azure_AD_Object] FROM EXTERNAL PROVIDER.
4.Then 使用代码 here,使用您从第 2 步获得的值修正值。
string ConnectionString = @"Server=demo.database.windows.net; Authentication=Active Directory Service Principal; Database=testdb; User Id=AppId; Password=secret";
using (SqlConnection conn = new SqlConnection(ConnectionString)) {
conn.Open();
}