Is it possible to configure the ADFS to use a SQL DB(any database that supports SQL query language) for users instead of the default ActiveDirectory?
(ADFS 2019)
Not natively. The way to do it as of today (25/02/2020) is to use a product that does LDAP like a proxy for the SQL database. See https://optimalidm.com/products/virtual-identity-server/.
Then use that LDAP directory like so https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories
Related
I am building a REST-API that talks to an Azure SQL database using .NET core 2.2 and C#. The API runs as a webapp on Azure. The user-access rights are managed by the database itself.
My API requires the users expects users to have a Microsoft account and to be registered in Azure Active Directory and the authentication is done using Bearer tokens.
Is it possible to perform a query on the database on behalf of the user? In other words having the same access rights as if the user logged in to the database directly and performed the query himself.
I believe they need to be Azure Active Directory users if you want to grant access that way. The other option is to use SQL authentication and manage the connection string (user & password) in your web api layer.. This document from Microsoft explains the process for each: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-manage-logins
I would like to know after upsizing ms access database to sql server successfully with my user name in the domain and windows authentication and linking access tables to sql server tables,
for distribution this front-end to other users in the domain what i have to do? Is enough give a copy of the front-end to other users and defining their user names and permissions in the sql server? Or it needs some vba code in ms access for defining linked tables and ODBC connection?
Yes, if the ODBC driver you use is installed on users' machines - and, of course, Access is installed.
Table links don't change. If you didn't use Windows authentication, however, tables had to be relinked using each user's credentials.
Is it possible to pass Windows domain credentials (users) from their browser directly to MSSQL for database authentication?
Still learning ASP.NET and EF, but I have a working webapp that uses a static DB connection string in my webconfig. I'm using Windows Authentication via IIS to control access to the website, but I need to support read/write permissions in the database, per user.
It would be great if I could just use AD and assign permissions directly in SQL server, instead of having to maintain my own user table and permissions/roles.
It is possible with impersonation. You can configure it to pass the same credentials from the IIS to SQL Server, however, if SQL server is physically in another server, you might need to give some permissions to users. I have done this years ago, but couldn't do it again recently.
I have an ASP NET web app that uses identity impersonation. However, there is an SQL connection string that I must use with SQL Server to retrieve data that relies on a Trusted Connection. Is there any way I can specify a Windows account to communicate with SQL, but still use impersonation in the rest of my web app? If it makes a difference, this application uses .net 4.0, connecting to SQL 2008.
I've read several posts already on SO (including this one - When using Trusted_Connection=true and SQL Server authentication, will this effect performance?), but I haven't found a cohesive answer to my question.
Ultimately I wanted to be sure that the same rules apply now, that Identity Impersonation on a web app will pass user credentials to a sql database using Windows AD authentication. Based on the comments above, that seems to be the case. Thanks everyone for their time, should any future readers see this Q&A and say "Eric's wrong and he's an idiot!", please feel free to correct me accordingly
In our database we have an SQL server account that has the correct roles to access some of the databases. All of our PC and Servers are in domain using Windows Account. Now there is ASP.NET web application, we want the users in the domain to browser some data in the sql server. But we do not want to grant direct permission to every person, so is it possible to connect to sql server and run some T-SQL without granting permission to users using one specify account?
Best Regards,
Create views (or stored procedures) and lock them down to a custom role. Place those users you want to have access in a domain group, and place that group in the custom role.
Overview of SQL Server security model and security best practices
well, if the asp.net is inside the domain on the intranet, then you can create a GROUP in AD, and tie that to an account with the appropriate permissions in SQL Server. Then, turn off anonymous access on the ASP.NEt application, and have it go to town.
You can look at Security Account Delegation (aka passthrough authentication) to enable the NT logon token to be passed to SQL
Google search... there is a lot of good stuff, probably better than one specific link