Problem with LogOn setting for Azure Data Factory Service Account

Zhengkai Wu 1 Reputation point
2022-02-28T22:47:49.837+00:00

Hi, we created a dedicated domain service account for ADF to access different data sources on-premise throught Self-hosted intergration RunTime server and granted that service account access on the local servers (SQL Servers DB & network shares)

What we notice is that domain service account require logon rights on every on-prem server it needs to retrieve data from (not just the self-hosted IR server) for it to work. Otherwise ADF will return error 'Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication' Even that service account have been granted the correct access on the SQL Server & network share.

As soon as we grant that service account LogOn rights to the server , everything started working. Our sercuity team has problem granting that service account logon permissons to all the SQL servers & file servers in Production enviroment. ( Self-Hosted Intergration RunTime Server is not the problem, but logOn rights to multiple SQL servers & file server is a sercuity concern. )

I searched online and did not find much results on this topic. There are document stating the log-on permission is required on the Self-Host Intergration RunTime Server, but none of them mention that access on the other on-prem Servers. Did we mis-configured something in our ADF setup? Does the domain account ADF use to access on-prem SQL database or network share (through Self-hosted intergration RunTime) have to have logOn (or log-on-as-service) permission on all the other on-prem servers as well?

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,539 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShaikMaheer-MSFT 37,896 Reputation points Microsoft Employee
    2022-03-03T12:23:29.553+00:00

    Hi @Zhengkai Wu ,

    Thank you for posting query in Microsoft Q&A Platform.

    As per my understanding, you created a service account that can be used by ADF self hosted IR to access different on-prem data sources. and you granted service account access to local servers(SQL servers & file shares). But still you see above issue and trying to confirm is logOn access on local servers needed to avoid issue. Correct me if my understanding is wrong.

    Yes, you need to have LogOn access on your servers then only ADF self-hosted IR can use that service account to access data from there.

    With logon access service accounts cannot access data in storages. One should have logon access to login in to Databases and fetch data.

    The default log on service account of Self-hosted integration runtime what you see in documentation and steps documented there is to make sure SHIR to start successfully with out any errors. Click here to know more about same. But once SHIR successfully runs we need to make sure our service account should have logon access on local servers to access data from there.

    Hope this helps. Please let us know how it goes.

    Please consider hitting Accept Answer. Accepted answers helps community as well.