go-mssqldb: Azure Active Directory Authentication is not supported?

Hi,

I am able to connect to Azure database using SQL authentication but when I use Azure AD credentials I receive TLS handshake error when pinging the database: Cannot read handshake packet: read tcp: wsarecv: An existing connection was forcibly closed by the remote host.

Connection String: sqlserver://user:pass@database.windows.net:1433?app+name=MyAppName&database=dbname&encrypt=true&hostNameInCertificate=%2A.database.windows.net&trustservercertificate=true

Is the Azure AD supported or not?

Thanks

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 39 (25 by maintainers)

Most upvoted comments

Thanks! I am so sorry to have to wait on sharing this!

In the docs I had written the description of the connection string changes was:

  • FedAuth - The federated authentication scheme to use.
    • ActiveDirectoryApplication - authenticates using an Azure Active Directory application client ID and client secret or certificate. Set the user to client-ID@tenant-ID and the password to the client secret. If using client certificates, provide the path to the PKCS#12 file containing the certificate and RSA private key in the ClientCertPath parameter, and set the password to the value needed to open the PKCS#12 file.
    • ActiveDirectoryMSI - authenticates using the managed service identity (MSI) attached to the VM, or a specific user-assigned identity if a client ID is specified in the user field.
    • ActiveDirectoryPassword - authenticates an Azure Active Directory user account in the form user@domain.com with a password. This method is not recommended for general use and does not support multi-factor authentication for accounts.
+1
wrosenuance on Jan 18, 2020

I’m not yet familiar with all the flavors of SQL auth and on-prem AD to AAD will need to somehow swap out your Kerberos ticket for an OAuth token. I’m not entirely sure how that works, but you should be able to do it with the code you have as well. Looking at the link you sent, I think your code should look like:

token, err := cli.GetTokenFromCLI("https://database.windows.net/")
accessToken := token.AccessToken

I have just tested this on my branch on Linux, but that should work.

$ at=$(az account get-access-token --resource https://database.windows.net/ --q accessToken -o tsv)
$ export SQLSERVER_DSN="sqlserver://server.database.windows.net?database=testdb&accesstoken=$at"
$ go test -run TestSessionInitSQL
2020/01/16 07:50:59 initiating response reading
...
2020/01/16 07:50:59 response finished
PASS
2020/01/16 07:50:59 
SET XACT_ABORT ON; -- 16384
SET ANSI_NULLS ON; -- 32
SET ARITHIGNORE ON; -- 128

ok      github.com/denisenkom/go-mssqldb        0.397s
+1
paulmey on Jan 16, 2020
Read more comments on GitHub
← dendron: Publishing: Images do not show up with simplest publishing technique
go-mssqldb: Azure SQL. long query - driver: bad connection →