We are excited to announce the General Availability of Active Directory Connector (ADC) for Arc-enabled SQL Managed Instance.
Active Directory Connector Overview
Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication.
To facilitate this, Azure Arc-enabled data services introduce a new Kubernetes-native Custom Resource Definition (CRD) called Active Directory Connector. It provides Azure Arc-enabled SQL Managed Instances running on the same data controller the ability to perform Active Directory authentication.
To enable Active Directory authentication for SQL Server on Linux and Linux containers, use a keytab file. The keytab file is a cryptographic file containing service principal names (SPNs), account names, and hostnames. SQL Server uses the key tab file for authenticating itself to the Active Directory (AD) domain and authenticating its clients using Active Directory (AD).
Active Directory Integration Modes
Active Directory Connector for Arc-enabled SQL Managed Instance allows deployment in two integration modes:
- Customer-managed keytab
- System-managed keytab
Customer-managed keytab |
System-managed keytab |
|
Use cases | Small and medium size businesses who are familiar with managing Active Directory objects and want flexibility in their automation process. | All sizes of businesses - seeking highly automated Active Directory management experience. |
User provides | An Active Directory account and SPNs under that account, and a keytab file for Active Directory authentication. | An Organizational Unit (OU) and a domain service account have sufficient permissions on that OU in Active Directory. |
Characteristics | User managed. Users bring the Active Directory account, which impersonates the identity of the managed instance and the keytab file. | System managed. The system creates a domain service account for each managed instance and sets SPNs automatically on that account. It also creates and delivers a keytab file to the managed instance. |
Deployment process |
1. Deploy data controller. 5. Deploy SQL Managed Instance. |
1. Deploy data controller. 2. Deploy Active Directory connector. |
Manageability | You can create the keytab file by following the instructions from Active Directory utility (adutil). Manual keytab rotation. | Managed keytab rotation. |
Limitations | We do not recommend sharing keytab files among services. Each service should have a specific keytab file. As the number of keytab files increases the level of effort and complexity increases. | Managed keytab generation and rotation. The service account will require sufficient permissions in Active Directory to manage the credentials. Distributed Availability Group is not supported. |
Get started today with an Active Directory Connector deployment using the az CLI, or Azure Portal.
Mikhail Almeida
Product Manager at Microsoft, Azure Data