Issue:
All the attempts to connect with an Azure Active Directory account are failing with a timeout error.
For example, you may see the following message in SQL Server 2016 Management Studio:
===================================
Cannot connect to your_server_name.database.windows.net.
===================================
Failed to authenticate the user aad_user_name@yourcompany.onmicrosoft.com in Active Directory (Authentication=ActiveDirectoryPassword).
Error code 0xCAA82EE2; state 10
The request has timed out. (.Net SqlClient Data Provider)
------------------------------
Server Name: your_server_name.database.windows.net
Error Number: 0
Severity: 11
State: 0
Procedure: ADALGetAccessToken
Solution:
In addition to the outgoing port 1433, you need to open your proxy or firewall for additional URLs or IP ranges. The full range is described through the following article:
Troubleshoot connectivity issues with Azure AD Connect
This article explains how connectivity between Azure AD Connect and Azure AD works and how to troubleshoot connectivity issues. These issues are most likely to be seen in an environment with a proxy Server.
(...)
The proxy server must also have the required URLs opened. The official list is documented in Office 365 URLs and IP address ranges .
Of these, the following table is the absolute bare minimum to be able to connect to Azure AD at all . This list does not include any optional features, such as password writeback, or Azure AD Connect Health. It is documented here to help in troubleshooting for the initial configuration.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In this list, "CRL" is referring to the Certificate Revocation List, and "MFA" relating to Multi-Factor Authentication. To resolve the immediate ADAL error from above, you need to open *.windows.net – this should allow you to connect. We recommended to open the other URLs as well to provide for the security features and basic configuration options. If you need additional features, you may have to add further URLs as described in Office 365 URLs and IP address ranges .
Further References:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.