问题描述
我们希望将AzureSqlServer与ActiveDirectoryMSI身份验证以及基于令牌的身份验证和我们能够从在Azure网络中创建并添加为Azure AD组成员的VM成功执行.为此,我们通过点击链接创建了包含的用户"
We want to use AzureSqlServer with ActiveDirectoryMSI authentication as well as token-based authentication andWe are able to execute successfully from VM created in Azure network and added as a member of the Azure AD group.For that, we have created Contained user by following the link
并将虚拟机添加为AzureActiveDirectory的一部分通过点击此链接
And added the VM as part of AzureActiveDirectoryby following this link
com.microsoft.sqlserver.jdbc.SQLServerException:MSI令牌失败:无法从MSI端点获取令牌
并且我们能够使用IMDS服务器访问SQL数据而无需提供用户名和密码,并且能够使用 http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fdatabase.windows.net%2F
And we are able to access the SQL data without providing username and password using both IMDS server and able to retrieve the token usinghttp://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fdatabase.windows.net%2F
和
ActiveDirectorMSIURIString jdbc:sqlserver://azuresqlserverNAME:1433; databaseName = DatabaseNAME; Authentication = ActiveDirectoryMsi;
ActiveDirectorMSIURIString jdbc:sqlserver://azuresqlserverNAME:1433;databaseName=DatabaseNAME;Authentication=ActiveDirectoryMsi;.
但是从Onprem Windows/Linux/Mac计算机访问时,我们无法访问Azure SQL服务器
But when it comes to access from Onprem Windows/Linux/Mac machine we are not able to access Azure SQL server
有人可以就本地部署向我提出建议吗,以便我们可以通过ActiveDirectoryMSI身份验证和基于令牌的身份验证来访问AzureSqlServer?
Can someone please suggest to me in terms of on-prem what needs to be done so we can access AzureSqlServer with ActiveDirectoryMSI Authentication as well as token-based authentication?
推荐答案
根据我的测试,如果要连接Azure SQL本地计算机,请参考以下步骤
According to my test, if you want to connect Azure SQL on-premise machine, please refer to the following steps
- 创建服务主体
az ad sp create-for-rbac -n 'name' --skip-assignment
设置环境变量.请设置以下变量作为环境变量
Set environment variable. Please set the following variable as the environment variable
AZURE_TENANT_ID: ID of the service principal's tenant. Also called its 'directory' ID.
AZURE_CLIENT_ID: the service principal's client ID
AZURE_CLIENT_SECRET: one of the service principal's client secrets
- SDK
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.0.7</version>
</dependency>
<dependency>
<groupId>com.microsoft.sqlserver</groupId>
<artifactId>mssql-jdbc</artifactId>
<version>8.2.2.jre8</version>
</dependency>
- 代码
public static void main( String[] args )
{
AccessToken token= GetAccessToken();
SQLServerDataSource ds = new SQLServerDataSource();
ds.setServerName("<>.database.windows.net"); // Replace with your server name.
ds.setDatabaseName("demo"); // Replace with your database name.
ds.setAccessToken(token.getToken());
try (Connection connection = ds.getConnection();
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery("SELECT SUSER_SNAME()")) {
if (rs.next()) {
System.out.println("You have successfully logged on as: " + rs.getString(1));
}
}
}
public static AccessToken GetAccessToken() {
DefaultAzureCredential creds = new DefaultAzureCredentialBuilder()
.build();
TokenRequestContext request = new TokenRequestContext();
System.out.println("444");
request.addScopes("https://database.windows.net//.default");
String token;
AccessToken accesstoken=creds.getToken(request).block();
return accesstoken;
}
这篇关于onprem计算机到Azure Active Directory,以便我们可以访问ActiveDirectoryMSI身份验证以及IMDS SERVER的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!