In this blog, we address the challenges faced by customers using SQL Managed Instances with Kerberos token-based authentication under Conditional Access (CA) location policies. Discover how our new solution ensures seamless and secure authentication without compromising security policies.
Customers using SQL Managed Instances with Kerberos token-based authentication encountered failures when Conditional Access (CA) location policies were applied. The only workaround was to exclude Azure SQL Managed Instances (SQL MI) from CA location policies, which was not a viable solution from a security perspective. This situation forced customers to either block the use of SQL MI Kerberos or exclude Azure SQL MI from CA policies, compromising their security.
We implemented a solution where the Kerberos ticket records the client IP and sends it back encrypted to the user's client machine. When the client sends an authentication request to SQL MI, SQL MI sends an OBO request, which exchanges the Kerberos ticket for an AAD token (JWT). This process uses the client IP from the Kerberos ticket and replaces the original SQL MI IP with the recorded IP. This validates the CA policy against the correct IP address, ensuring seamless authentication
We resolved the issue for scenarios where location-based CA policies are present, specifically when the client machine is in an allowed location, but the SQL MI is in a non-allowed location.
This solution addressed the compatibility issue between Microsoft Entra Kerberos and Entra location Conditional Access policies. It ensures that customers can use Kerberos token-based authentication for SQL Managed Instances without compromising their security policies
Microsoft