Blog Post

Azure Arc Blog
2 MIN READ

Active Directory Connector (ADC) for Arc-enabled SQL Managed Instance is now generally available!

mikhailalmeida's avatar
Oct 13, 2022

We are excited to announce the General Availability of Active Directory Connector (ADC) for Arc-enabled SQL Managed Instance.

 

Active Directory Connector Overview

Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication.

 

To facilitate this, Azure Arc-enabled data services introduce a new Kubernetes-native Custom Resource Definition (CRD) called Active Directory Connector. It provides Azure Arc-enabled SQL Managed Instances running on the same data controller the ability to perform Active Directory authentication.


To enable Active Directory authentication for SQL Server on Linux and Linux containers, use a keytab file. The keytab file is a cryptographic file containing service principal names (SPNs), account names, and hostnames. SQL Server uses the key tab file for authenticating itself to the Active Directory (AD) domain and authenticating its clients using Active Directory (AD).

 

 

 


Active Directory Integration Modes

Active Directory Connector for Arc-enabled SQL Managed Instance allows deployment in two integration modes:

  • Customer-managed keytab
  • System-managed keytab

 

 

Customer-managed keytab

System-managed keytab

Use cases Small and medium size businesses who are familiar with managing Active Directory objects and want flexibility in their automation process. All sizes of businesses - seeking highly automated Active Directory management experience.
User provides An Active Directory account and SPNs under that account, and a keytab file for Active Directory authentication. An Organizational Unit (OU) and a domain service account have sufficient permissions on that OU in Active Directory.
Characteristics User managed. Users bring the Active Directory account, which impersonates the identity of the managed instance and the keytab file. System managed. The system creates a domain service account for each managed instance and sets SPNs automatically on that account. It also creates and delivers a keytab file to the managed instance.
Deployment process

1. Deploy data controller.
2. Create keytab file.
3. Set up keytab information to Kubernetes secret.
4. Deploy Active Directory connector.

5. Deploy SQL Managed Instance.

For more information, see Deploy a customer-managed keytab Active Directory connector

1. Deploy data controller.

2. Deploy Active Directory connector.
3. Deploy SQL Managed Instance.

For more information, see Deploy a system-managed keytab Active Directory connector

Manageability You can create the keytab file by following the instructions from Active Directory utility (adutil). Manual keytab rotation. Managed keytab rotation.
Limitations We do not recommend sharing keytab files among services. Each service should have a specific keytab file. As the number of keytab files increases the level of effort and complexity increases. Managed keytab generation and rotation. The service account will require sufficient permissions in Active Directory to manage the credentials.

Distributed Availability Group is not supported.

 

Get started today with an Active Directory Connector deployment using the az CLI, or Azure Portal.

 

Mikhail Almeida

Product Manager at Microsoft, Azure Data

Updated Oct 13, 2022
Version 1.0
  • Great addition to already a great product 🙂 and much needed one at that 🙂

     

    Thanks for sharing!!!

     

    Happy Azure Stacking!!! 🙂