I try to reconfigure our ASP.Net app with .Net Framework 4.7.2 from SQL username/password Auth. to token based Azure Active Directory Authentication by using the system assigned managed identity of the VM running the Web Site.
I started with https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell
Enabled AD Admin on SQL Server created a AAD group, in which i added the SMI of the VM created a User in SQL for each database with "FROM EXTERNAL PROVIDER"
and i can logon to the SQL Server with SSMS using the AAD MFA Authentication.
On the VM i installed https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication & https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/
through copying the dlls to my bin directory of the website.
In the web.config i added the two SqlAuthenticationProviders sections with the public key token and a reconfigured connection string:
add name="Master" connectionString="server=tcp:xxxxdb01.privatelink.database.windows.net,1433;Initial Catalog=master_dev;UID=app;Authentication=Active Directory Interactive;TrustServerCertificate=True" providerName="System.Data.SqlClient"
IIS, after several errors, not able to find the dlls, finally gave the error:
Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: https://login.windows.net/97293BC6-059A-4DCB-9520-7FF64761E91E. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Failed to get user name from the operating system.Inner Exception : No mapping between account names and security IDs was done.
I thought about the link between the "System assigned managed identity", which is authorized on the datebase, and the ASP.Net app, running on the VM. How does the IIS get the managed id to authenticate against SQL ?
