0

what is the trick to use your AAD credentials using Azure.Identity and Sql Server when using IIS?

Ultimately i want to use User Assigned Managed Identity with Sql Server, but i also need to debug locally.

This code works locally and in Azure when running in a console app.

var credential = new DefaultAzureCredential();
var token = credential.GetToken(
    new Azure.Core.TokenRequestContext(
        new[] { "https://database.windows.net/.default" }
));

connection.AccessToken = token.Token;

However, when i run my web app, which is a .net core 3.1 web app, i get the following exception.

I do have the Tools > Azure Service Authentication set up for my AAD user. My AAD user does have access to the database. The above code works in my console app. I'm suing EFCore 3.1. That code is in the ctor of the dbcontext. I also got it to work in the https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi sample using IIS express. I'm not sure if the issue is IIS express vs IIS or if it has to do with my startup.cs. i've tried az login and that didn't help either. I've tried running my IIS app pool with local system or my account with no difference.

Here is the exception message i get from the web app.

DefaultAzureCredential failed to retrieve a token from the included credentials.

  • EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
  • ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
  • SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
  • Visual Studio Token provider can't be accessed at C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json
  • Stored credentials not found. Need to authenticate user in VSCode Azure Account.
  • Please run 'az login' to set up account
Dean Ward
  • 4,793
  • 1
  • 29
  • 36
randy
  • 253
  • 4
  • 17
  • Should your web app get access to the SQL database regardless of the user who is browsing the app? Or do you want to use the credentials of the user who is browsing your app to access the database with his personal permission on the database? – Christian Vorhemus Feb 27 '21 at 10:20
  • @SimonNobel, it should have access regardless of who is browsing the app. I ultimately want to use User Assigned Managed identity, so the security will be based on that "external" user. e.g. CREATE USER [my-managed-identity] FROM EXTERNAL PROVIDER; But at this point im just trying to run locally in IIS using my AAD credentials, which is why im using the DefaultAzureCredential. But ultimately when it's running in Azure i'll be using ManagedIdentityCredential. This does work from a console app, both locally and via webjob in Azure. Just not in IIS, nor an AppService. – randy Feb 27 '21 at 19:08
  • Well, ultimately when using User Assigned Managed identity i want to be using that identity instead of the user, but debugging locally in Visual Studio, i want to use the identity of the user. – randy Feb 28 '21 at 13:53

1 Answers1

1

I figured it out. This page describes the steps. https://learn.microsoft.com/en-us/dotnet/api/overview/azure/service-to-service-authentication#cant-retrieve-tokens-when-debugging-app-in-iis

In addition to those steps i had the added complexity that my AD account is user@domain.com but my same account in AAD is user@domain.net. So i had to switch my App Pool settings to user@domain.net.

randy
  • 253
  • 4
  • 17