stackoom
  简体   繁体   中英

Integrated Authentication From VM-based AD into Azure SQL DB

 原文  2019-04-15 15:17:18       azure/ active-directory/ azure-active-directory/ azure-sql-database/ windows-integrated-auth

Question

I'm looking for some guidance on an issue I'm trying to solve. Right now, our web.config connection string contains plain-text password and username. Due to compliance reasons, we must remove those plain-text credentials and substitute them with integrated authentication. In the past, this was done by subbing the plain-text creds with 'trusted_connection=yes'.

Further clarification on our setup - We're in the process of migrating to Azure. The setup looks like this: we have a pair of VM's running Active Directory, our web VM is running standard IIS, and that's talking to Azure SQL DB. Unfortunately, we cannot move to Azure AD, as we have other requirements that require that to remain. Any help or ideas would be appreciated. Thank you in advance!

tl;dr - How can we get plain-text credentials out of the web.config file in an environment that has VM-based AD and Azure SQL DB.

  • Web.config file is on windows server 2016 running IIS
  • AD is on pair of 2016 VMs
  • Azure SQL DB is PaaS

Web.config : 

<add key="Persist Security Info=False;User ID=XXXXX;Password=XXXXXX;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;" />

<add key="Persist Security Info=False;trusted_connection=yes;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;" />

1 answers

solution1
 1  2019-04-15 16:33:10

How can we get plain-text credentials out of the web.config file in an environment that has VM-based AD and Azure SQL DB.

The right way to do this in Azure is to provision a Managed Service Identity for your VM, and use that identity acquire an Access Token for SQL Server. You can follow the tutorial here .

In this scenario your connection string doesn't need any security information. Just something like: 

"Data Source = someInstance.database.windows.net; Initial Catalog = someDatabase;Connection Timeout=30;"

Alternatively, you can use the MSI to access the Azure Key Vault and retrieve the SQL Auth credentials to connect, instead of storing them in your Config File, per the tutorial here .

You can also try to configure your App Pool to run under a domain account configured for Seamless Signon with AAD , just like you should be accessing Azure SQL Database when logged into a Domain-joined workstation. But there's a lot of potential complexity in that path.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure AD Integrated Authentication Token-based authentication support for Azure SQL DB using Azure AD auth Can ADAL be used with Azure AD (Connect) Passthrough Authentication for Integrated Auth Authenticate on premise (integrated windows authentication) application with Azure AD Azure Active Directory Integrated Authentication with SQL Azure SQL Database - Active Directory integrated authentication Hide Azure VM behind proxy with Azure AD authentication Connect to SQL Server with Azure AD MFA Authentication from PHP Import / Export database from Azure SQL Server using AD authentication Azure SQL Azure AD Authentication Failure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM