Windows Authentication for Azure AD principals for SQL Managed Instance is now Generally Available

Copper Contributor

Oct 27, 2022

What are the troubleshooting steps for getting this working? I have worked with my Infrastructure team to perform the Incoming trust steps. However, when I try to login to MI from SSMS I get the following:

TITLE: Connect to Server
------------------------------

Cannot connect to .database.windows.net.

------------------------------
ADDITIONAL INFORMATION:

Login failed for user '<token-identified principal>'. (Microsoft SQL Server, Error: 18456)

For help, click: https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver-18456-database-engine-error

------------------------------
BUTTONS:

OK
------------------------------

I ran the klist command and show the following:

#4>     Client: admin
        Server: krbtgt/KERBEROS.MICROSOFTONLINE.COM @ T.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 10/27/2022 16:58:07 (local)
        End Time:   10/28/2022 2:58:07 (local)
        Renew Time: 11/3/2022 14:14:33 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION
        Kdc Called: 01.t.com

#5>     Client: admin
        Server: MSSQLSvc/a.database.windows.net:1433 @ KERBEROS.MICROSOFTONLINE.COM
        KerbTicket Encryption Type: Unknown (-1)
        Ticket Flags 0x40200000 -> forwardable pre_authent
        Start Time: 10/27/2022 16:55:56 (local)
        End Time:   10/27/2022 17:55:56 (local)
        Renew Time: 0
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION
        Kdc Called:

I am not sure if KDC is being blocked by firewalls or not.

NikoNeugebauer

Blog Post

Windows Authentication for Azure AD principals for SQL Managed Instance is now Generally Available