App Service dev, staging and prod deployment slots and SQL DB all have system assigned managed identities. Contributor roles have been assigned to managed identities at the subscription level.
SQL Server Contained users have been created and roles assigned for the App Service dev, staging and production slots: SQL Server Contained Users
appsettings.json connectionStrings: connectionStrings
AD DB Admin User created and added to SQLServer as a contained user.
Permissions added to AppService managed identity for dB1 and dB2 to SQL Server AppService Managed Identity Permissions
msi-validator returns success for token based connection from the web app to two different databases on the same sql server instance. msi-validator success
Local and Azure deployment slot both return: SQLException Login failed for token-identified principal
Walked through https://social.technet.microsoft.com/wiki/contents/articles/53928.azure-ad-managed-identity-connecting-azure-web-app-and-slots-with-azure-sql-db-without-credentials.aspx and many other tutorials.
Still missing something...
Attempts to run the application using the managed identity connection string is consistently failing with the token-provider principal login failure error.
CodePudding user response:
As per my understanding you are facing an error stating login fails for token-identified principal when trying to connect your Azure ap service managed identity with your Azure SQL Database. Could you please try the below in order to mitigate the issue.
- Make sure System managed Identity status is showing on your app.
- on your app service Verify that your connection string under application settings is set to "Server=tcp:.database.windows.net,1433;Database=;"
- Allow Azure services and resources to access this server” should be set as Yes in Firewalls and virtual networks settings in your Azure SQL DB, in case it was not set earlier during Azure SQL setup.
Please do let me know if that help mitigate the issue. If not, we will keep working on the same to get you unblock.
CodePudding user response:
Please make sure the Azure Active Directory user is created on the Azure SQL Database. Please make you create the user in the Azure SQL Database following the steps mentioned here.
To create an Azure AD-based contained database user, connect to the database with an Azure AD identity, as a user with at least the ALTER ANY USER permission. Then use the following Transact-SQL syntax:
CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
CREATE USER [[email protected]] FROM EXTERNAL PROVIDER;
CREATE USER [[email protected]] FROM EXTERNAL PROVIDER;
Make sure you are connect to the Azure SQL database and not to the master database on the Azure SQL logical server.