How Azure SQL Managed Instance works with Azure AD and KerberosĬustomers use the Azure portal to enable a system assigned service principal on each managed instance. Traditional on-premises applications to move to the cloud without changing their fundamental authentication scheme.Īpplications running on enlightened clients authenticate using Azure AD directly. Kerberos authentication in Azure AD enables: Clients running previous versions of Windows can be configured to use Kerberos Key Distribution Center (KDC) proxy servers to use Kerberos authentication. Windows 10 21H1 clients and above have been enlightened for interactive mode and do not need configuration for interactive login flows to work. Trust created in this way enables existing Windows clients to access Azure AD with Kerberos. To create an independent Kerberos realm for an Azure AD tenant, customers install the Azure AD Hybrid Authentication Management PowerShell module on any Windows server and run a cmdlet to create an Azure AD Kerberos object in their cloud and Active Directory. How Azure AD provides Kerberos authentication The following diagram gives an overview of how Windows Authentication is implemented for a managed instance using Azure AD and Kerberos: It will not allow users in the Azure AD tenant to access resources in the customer domain. This configuration allows users in the customer domain to access resources in your Azure AD tenant. To enable Windows Authentication for Azure Active Directory (Azure AD) principals, you will turn your Azure AD tenant into an independent Kerberos realm and create an incoming trust in the customer domain.
Windows Authentication for Azure AD principals on Azure SQL Managed Instance enables customers to move existing services to the cloud while maintaining a seamless user experience and provides the basis for security infrastructure modernization.
0 kommentar(er)
