Failed to authenticate Domain AD when connect to Azure SQL Database, ADFS error code ID3242

Question

When using AD Domain to connect to Azure SQL Database in AKS (Azure Kubernetes Service), I encountered this issue. Local access works fine. What could be the reason, and where can I configure it?

My connection string is:

Server=xxx.database.windows.net;Database=xxx;UID=******@xxx.com;PWD=xx;Authentication=Active Directory Password;Pooling=true;Max Pool Size=100;Min Pool Size=20;Connection Lifetime=120;"

Error info as following:

Failed to authenticate the user [my account] in Active Directory (Authentication=ActiveDirectoryPassword).

Error code 0xparsing_wstrust_response_failed

There was an error parsing the WS-Trust response from the endpoint.

This may occur if there are issues with your ADFS configuration. See https://aka.ms/msal-net-iwa-troubleshooting for more details.

Enable logging to see more details. See https://aka.ms/msal-net-logging. Error Message: Federated service at https://wap.aia.com/adfs/services/trust/2005/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized.

Answer 1

Hello Beck,

Thank you for posting your question in the Microsoft Q&A forum. 

The authentication failure when connecting from AKS to Azure SQL Database using Active Directory Password authentication typically stems from WS-Trust endpoint misconfiguration or network restrictions in the Kubernetes environment. Unlike local access, AKS pods may face issues resolving or reaching your organization's ADFS (Active Directory Federation Services) endpoints, which are required for token acquisition. The error 0xparsing_wstrust_response_failed suggests the ADFS server (wap.aia.com/adfs/services/trust/2005/usernamemixed) either rejected the request or the AKS cluster couldn’t access it due to: 

• Network Policies/Firewalls: AKS nodes or pods might be blocked from contacting your ADFS server. Verify egress traffic to ADFS endpoints (port 443) is allowed in AKS network security groups (NSGs) or Azure Firewall rules. 
• DNS Resolution: Ensure AKS can resolve your ADFS domain (wap.aia.com). Configure custom DNS settings in AKS if using private endpoints. 
• ADFS Configuration: The ADFS server may require WS-Trust 1.3 or specific claim rules for cloud resources. Check ADFS logs for ID3242 errors. 

Solutions you may try:

• Test Connectivity: Use kubectl exec to run nslookup and curl from a pod to verify ADFS reachability. 
• Use Managed Identity: Switch to Azure AD Pod Identity or Workload Identity for AKS-to-SQL auth, bypassing ADFS. 
• Enable MSAL Logging: Add HttpLoggingEnabled=true to your connection string to capture detailed auth flow errors. 

For immediate mitigation, consider Azure AD Service Principal auth (if ADFS isn’t mandatory) or involve your AD team to audit ADFS WS-Trust settings. 

Few related Microsoft documentation may help: 

https://learn.microsoft.com/en-us/azure/aks/use-network-policies 

https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql  

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.