SSMS和Active Directory身份验证不适用于Azure SQL和非Azure SQL
[英]SSMS and Active Directory Authentication doesn't work with Azure SQL and non-Azure SQL
问题描述
So we have Azure AD synced with our on-premise domain. 
因此,我们已将Azure AD与内部部署域同步。 We have an Azure SQL Server configured with the active directory admin. 我们有一个使用活动目录admin配置的Azure SQL Server。 We also have a non Azure SQL server running on a virtual machine in Azure that is domain joined to this same domain. 我们也有一个非Azure SQL服务器在Azure的虚拟机上运行,该虚拟机已加入该域。 The following are the results of using the various authentication mechanisms offered by SQL Management Studio (SSMS). 以下是使用SQL Management Studio(SSMS)提供的各种身份验证机制的结果。 Can someone explain why the failures occur with the various options that should be supported? 有人可以用各种应支持的选项解释为什么会发生故障吗?
Facts about environment: 关于环境的事实:
- Passthrough authentication is the sign-in method configured on AD Connect 传递身份验证是在AD Connect上配置的登录方法
- Password hash sync is also enabled so password hashes are stored in Azure AD 还启用了密码哈希同步,因此密码哈希存储在Azure AD中
- Azure SQL is configured with Active Directory admin 使用Active Directory管理员配置Azure SQL
- Latest version of SSMS was downloaded when performing these test 执行这些测试时,下载了最新版本的SSMS
- On premise account was used to test all scenarios 使用内部帐户测试所有方案
Domain joined client connecting to Azure SQL from SSMS 域加入客户端从SSMS连接到Azure SQL
- Active Directory Password (PASS) Active Directory密码(PASS)
- Active Directory Universal (PASS) Active Directory通用(PASS)
- Windows Integrated (FAIL - not supported by Azure SQL) Windows集成(失败-Azure SQL不支持)
- Active Directory Integrated (FAIL – see error below) 集成Active Directory(失败-参见下面的错误)
Failure when client is standard domain joined client 客户端是标准域加入客户端时失败
Failure when client is Azure domain joined client 客户端为Azure域加入客户端时失败
Domain joined client connecting to non-Azure SQL hosted on same domain 已加入域的客户端连接到同一域上托管的非Azure SQL
- Active Directory Integrated (PASS) Active Directory集成(PASS)
- Windows Integrated (PASS) Windows集成(PASS)
- Active Directory Password (FAIL – Login failed for user '') Active Directory密码(失败-用户“”登录失败)
- Active Directory Universal (FAIL – Login failed for user '') Active Directory通用(失败-用户“”登录失败)
2 个解决方案
解决方案1
0 2018-11-09 22:12:27
This issue may be related with the AD Syncing options. 此问题可能与“ AD同步”选项有关。 Verify in your environment that AD is not syncing passwords into the tenant. 在您的环境中验证AD是否未将密码同步到租户中。 This prevents AD Integration Authentication and AD Password Authentication. 这样可以防止AD集成身份验证和AD密码身份验证。 The only authentication that works on these cases is AD Universal Authentication, as your test shows. 如测试所示,在这些情况下唯一适用的身份验证是AD通用身份验证。
解决方案2
0 2018-11-09 22:29:25
It looks to me that his is an ADAL problem (WSTrust) related to network configuration. 在我看来,他是与网络配置有关的ADAL问题(WSTrust)。 Please create a support case and work with the support team to solve this problem 请创建一个支持案例并与支持团队一起解决此问题
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.