Azure App Service can't access SQL Server - Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

Question

I have an app service in Azure operating as an API for a system I'm designing. As the API is responsible for accessing the database directly, I obviously don't want to be storing connection strings containing credentials anywhere if possible, so am looking to use Managed Identities to grant the App Service access to the database (also hosted on Azure).

Within the Azure portal, I've enabled System-Assigned Identity within the Settings section of the App Service, then given the service the role of owner of the SQL Server via SQL Server -> Access Control -> Role Assignments-> Add.

As I understand it, Active Directory Users shouldn't even come into this as they are user-assigned identities rather than system-assigned identities, and take more setting up (or storing their credentials in the connection string).

As for the code, it's pretty much a carbon copy of this >> https://github.com/medhatelmasry/JwtAuthentication , the only differences being that I've added

services.BuildServiceProvider().GetService<ApplicationDbContext>().Database.Migrate();

to the end of the ConfigureServices method within Startup.cs , and added the below to the constructor of ApplicationDbContext as per Microsoft's instructions:

var conn = (System.Data.SqlClient.SqlConnection)Database.GetDbConnection();

conn.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;

When attempting to run this service in Azure, however, I get an exception when calling services.BuildServiceProvider().GetService<ApplicationDbContext>().Database.Migrate(); :

Login failed for user 'NT AUTHORITY\\ANONYMOUS LOGON'

I've tried StackOverflow, MSDN, Azure Help, Pluralsight and whatever random forums turn up from Google, and not managed to find an answer on any of them. I've only just got through a whole week of staying up until stupid o'clock every day trying to fix connection string configurations only to find Azure was changing the name of the connection string parameter that I was giving it and not saying a word about it (and nothing in any Microsoft documentation about it either).

Azure is becoming a serious pain in my ass, I haven't even started adding endpoints to the API yet, let alone creating an actual application to use it, this is ridiculous.

Answer 1

Eventually found the answer here >> https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql#create-a-contained-user-in-the-database-that-represents-the-vms-system-assigned-identity

The App Service was indeed set as an owner of the server , but hadn't had a user provisioned on the database , so my problem was resolved by logging into the database via SSMS and running:

CREATE USER [My App Service Name] FROM EXTERNAL PROVIDER

then:

ALTER ROLE db_owner ADD MEMBER [My App Service Name]

However, I removed the ownership role of the App Service on the server's Access Control (IAM) page, and am still able to connect successfully, not sure why that is but this is probably just a lack of SQL user knowledge on my part. It actually suits me as at the moment my App Service has a provisioned SQL user with db_owner role assigned on the database itself, but not on the overall server.

Answer 2

From my understanding you have to go through the prerequisite process of creating, enabling and allowing Azure AD users and also setting SQL Admin to an Azure AD user.

There's a pretty comprehensive guide here including creating, accessing and using tokens for Managed Identities Tutorial: Secure Azure SQL Database connection from App Service using a managed identity