Lesson Learned #293: Common errors connecting to Azure SQL DB using Azure Active Directory
Published Jan 19 2023 10:09 AM 3,487 Views

In some situations, as you could find in this URL Additional Endpoints Required for AAD Authentication and CRL Checks for Azure SQL DB - Microsoft Com... we faced connectivity problems reaching the different endpoints of AAD or opening the outbound ports 443.

 

I would like to share my lessons learned based on error code and messages about this issue:

 

  •  Unable to acquire authorization token: No connection could be made because the target machine actively refused it x.x.x.x:443 
    • The service located on port 443 is not responding or a firewal is blocking the port 443 or the IP. 
  • Unable to acquire authorization token: An attempt was made to access a socket in a way forbidden by its access permissions x.x.x.x:443

    •  A firewal is blocking the port 443 or the IP. 

  • Unable to acquire authorization token: Object reference not set to an instance of an object. 
    •  The service located on port 443 is not responding or firewal is blocking the port 443 or the IP. 
  • Error code 0xA190; state 41360 - The requested URL was rejected. SAML token not found in response.
    • Any proxy server or firewall is rejecting to access any AAD endpoints needed.

 

Also, in some cases, we could 

 

  • If the domain of the user, for example, username@domain.com is not found or invalid
    • Error code 0xCAA90018; state 10 - Could not discover a user realm..
  • If the domain doesn't exist.
    • Error code 0xCAA9003B; state 10 - ADAL received an empty response from the server during a WIA flow and could not continue..
  • If the user doesn't exist in the domain specified, 
    • Error code 0xCAA20003; state 10 - ID3242: The security token could not be authenticated or authorized..
  • If your Azure Active Directory administrator only allows a MFA connection.
    • Error code 0xCAA2000C; state 10 - AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '022907d3-0f1b-48f7-badc-1ba6abab6d66'.

Enjoy!

Version history
Last update:
‎Feb 07 2023 02:06 AM
Updated by: