Acquire access token in AADDS
We have several legacy desktop apps we remote host through an AADDS joined VM. These apps need to login to an Azure SQL server. Currently we are using Active Directory - Password authentication and the user has to key their password in each time.
Since the user is logged into the VM using their Azure AD account, it would be nice if there was a way to retrieve their access token and then we could login to SQL using that instead.
I've looked and I don't see anyway to do this at this time.
Mark Gould commented
First off, thanks for the insightful comment.
One example that already does something similar is how we are able to use Azure Files with AADDS (https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-enable)
Somehow AADDS (legacy authentication as you mentioned) is able to acquire a token to use Azure Files (modern authentication) without prompting the user for any other credentials
Behind the scenes, I don't know how they implemented this. This behavior but working for Azure SQL would be great for us.
Does that make sense?
Mike Stephens commented
So you have a VM that you allow RDP to that host a legacy application. The VM is joined to Azure AD Domain Services--therefore it only does Kerberos authentication (username/password).
Then, the database connection the application uses relies on Azure AD Authentication (modern authentication) rather than Windows Integrated authentication. That explains why users need to sign-in with the un/pw many times. Hmmmm...
There's not much Azure AD Domain Services can do to help with this. However what you might be able to do (if you can change the application), is pre-authenticate the user using the application to Azure and then silently authenticate to SQL in the background, rather than relying on the Azure SQL to prompt for authentication. The design seems to have an impedance mis-match in that it uses legacy authentication for the hosting platform but modern auth for the database connectivity. The easiest way (relative) would be to have Azure SQL register a service principal name in Azure AD Domain Services and accept a Kerberos Service ticket. They could then pull the user upn out of the Kerberos ticket and "broker" the authentication so to speak.
I'll leave this triaged, but I honestly do not see how Azure AD Domain Service can help with this, given its design is for legacy authentication.
Senior Program Manager
IAM Core | Domain Services