Access IMDS server or Active Directory MSI method to onprem machine which is joined Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-1497609%22%20slang%3D%22en-US%22%3EAccess%20IMDS%20server%20or%20Active%20Directory%20MSI%20method%20to%20onprem%20machine%20which%20is%20joined%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497609%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20want%20to%20use%20AzureSqlServer%20with%20ActiveDirectoryMSI%20authentication%20as%20well%20as%20token-based%20authentication%20and%20We%20are%20able%20to%20execute%20successfully%20from%20VM%20created%20in%20Azure%20network%20and%20added%20as%20a%20member%20of%20the%20Azure%20AD%20group.%20For%20that%2C%20we%20have%20created%20Contained%20user%20by%20following%20the%20link%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Ftutorial-windows-vm-access-sql%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Ftutorial-windows-vm-access-sql%3C%2FA%3E%3C%2FP%3E%3CP%3EAnd%20added%20the%20VM%20as%20part%20of%20AzureActiveDirectory%20by%20following%20this%20link%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F57875054%2Fcom-microsoft-sqlserver-jdbc-sqlserverexception-msi-token-failure-failed-to-ac%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecom.microsoft.sqlserver.jdbc.SQLServerException%3A%20MSI%20Token%20failure%3A%20Failed%20to%20acquire%20token%20from%20MSI%20Endpoint%3C%2FA%3E%3C%2FP%3E%3CP%3EAnd%20we%20are%20able%20to%20access%20the%20SQL%20data%20without%20providing%20username%20and%20password%20using%20both%20IMDS%20server%20and%20able%20to%20retrieve%20the%20token%20using%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2F169.254.169.254%2Fmetadata%2Fidentity%2Foauth2%2Ftoken%3Fapi-version%3D2018-02-01%26amp%3Bresource%3Dhttps%253A%252F%252Fdatabase.windows.net%252F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2F169.254.169.254%2Fmetadata%2Fidentity%2Foauth2%2Ftoken%3Fapi-version%3D2018-02-01%26amp%3Bresource%3Dhttps%253A%252F%252Fdatabase.windows.net%252F%3C%2FA%3E%3C%2FP%3E%3CP%3Eand%3C%2FP%3E%3CP%3EActiveDirectorMSI%20URIString%20jdbc%3Asqlserver%3A%2F%2FazuresqlserverNAME%3A1433%3BdatabaseName%3DDatabaseNAME%3BAuthentication%3DActiveDirectoryMsi%3B%20.%3C%2FP%3E%3CP%3EBut%20when%20it%20comes%20to%20access%20from%20Onprem%20Windows%2FLinux%2FMac%20(joined%20as%20device%20and%20made%20part%20of%20Azure%20AD%20group%20where%20group%20is%20set%20as%20Admin%20for%20Azure%20Sql%20server)%20machine%20we%20are%20not%20able%20to%20access%20Azure%20SQL%20server%3CBR%20%2F%3EEven%20not%20able%20to%20access%20IMDS%20server%20%2C%20when%20i%20tried%20executing%20java%20code%20which%20does%20active%20directory%20msi%20even%20faild%20saying%20unable%20to%20connect%20remote.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ECan%20someone%20please%20suggest%20to%20me%20in%20terms%20of%20on-prem%20what%20needs%20to%20be%20done%20so%20we%20can%20access%20AzureSqlServer%20with%20ActiveDirectoryMSI%20Authentication%20as%20well%20as%20token-based%20authentication%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1497609%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

We want to use AzureSqlServer with ActiveDirectoryMSI authentication as well as token-based authentication and We are able to execute successfully from VM created in Azure network and added as a member of the Azure AD group. For that, we have created Contained user by following the link

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-...

And added the VM as part of AzureActiveDirectory by following this link

com.microsoft.sqlserver.jdbc.SQLServerException: MSI Token failure: Failed to acquire token from MSI...

And we are able to access the SQL data without providing username and password using both IMDS server and able to retrieve the token using http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2F...

and

ActiveDirectorMSI URIString jdbc:sqlserver://azuresqlserverNAME:1433;databaseName=DatabaseNAME;Authentication=ActiveDirectoryMsi; .

But when it comes to access from Onprem Windows/Linux/Mac (joined as device and made part of Azure AD group where group is set as Admin for Azure Sql server) machine we are not able to access Azure SQL server
Even not able to access IMDS server , when i tried executing java code which does active directory msi even faild saying invoke-WebRequest : unable to connect remote from Powershell and com.microsoft.sqlserver.jdbc.SQLServerException:Failed to aquire access token from IMDS,Unexpected error occured from java code using authentication as ActiveDirectoryMSI in jdbc uri.

Can someone please suggest to me in terms of on-prem what needs to be done so we can access AzureSqlServer with ActiveDirectoryMSI Authentication as well as token-based authentication?

0 Replies