Configure Azure SQL Managed Instance for Windows Authentication

Question

My environment consists of two domains: one is the on-premises Windows AD domain, and the other is the Azure AD tenant. The two domains are connected, and Azure AD Connect is set up to sync a specific OU with selected security groups to Azure AD. (The Idea being these security groups with have my users in on the local AD and the group synced to Azure and linked to the SQL DB) I use simlar setup for Share drives hosted on Storage account setup to be access’s to on prem users) I have a SQL Managed Instance in Azure that i want to configure to accept Kerberos authentication from the on-premises Windows AD domain. To do this, i have set up an incoming trust-based flow from the on-premises Windows AD domain to Azure AD. I have also verified that the security group containing the users i want to grant access to the SQL Managed Instance has been synced to Azure AD. I then followed the steps to configure the SQL Managed Instance to accept Kerberos authentication for the security group. I created an SPN for the SQL Managed Instance and registered it with the service account using the setspn.exe tool. However, when attempting to connect to the SQL Managed Instance with a Windows account, I encountered an error when creating the login. “login was from an untrusted domain and could not be used with integrated authentication.” This is the guide I have followed: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup-incoming-trust-based-flow?view=azuresq I have tried to recreate all the setup from the guide and its not working I’m struggling to find which direction I should be looking at.

Answer 1

Please see the steps provided on this article also.