question

zhwu-5182 avatar image
0 Votes"
zhwu-5182 asked cthomasberg commented

Problem with LogOn setting for Azure Data Factory Service Account

Hi, we created a dedicated domain service account for ADF to access different data sources on-premise throught Self-hosted intergration RunTime server and granted that service account access on the local servers (SQL Servers DB & network shares)

What we notice is that domain service account require logon rights on every on-prem server it needs to retrieve data from (not just the self-hosted IR server) for it to work. Otherwise ADF will return error 'Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication' Even that service account have been granted the correct access on the SQL Server & network share.

As soon as we grant that service account LogOn rights to the server , everything started working. Our sercuity team has problem granting that service account logon permissons to all the SQL servers & file servers in Production enviroment. ( Self-Hosted Intergration RunTime Server is not the problem, but logOn rights to multiple SQL servers & file server is a sercuity concern. )

I searched online and did not find much results on this topic. There are document stating the log-on permission is required on the Self-Host Intergration RunTime Server, but none of them mention that access on the other on-prem Servers. Did we mis-configured something in our ADF setup? Does the domain account ADF use to access on-prem SQL database or network share (through Self-hosted intergration RunTime) have to have logOn (or log-on-as-service) permission on all the other on-prem servers as well?



azure-data-factory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ShaikMaheer-MSFT avatar image
0 Votes"
ShaikMaheer-MSFT answered cthomasberg commented

Hi @zhwu-5182,

Thank you for posting query in Microsoft Q&A Platform.

As per my understanding, you created a service account that can be used by ADF self hosted IR to access different on-prem data sources. and you granted service account access to local servers(SQL servers & file shares). But still you see above issue and trying to confirm is logOn access on local servers needed to avoid issue. Correct me if my understanding is wrong.

Yes, you need to have LogOn access on your servers then only ADF self-hosted IR can use that service account to access data from there.

With logon access service accounts cannot access data in storages. One should have logon access to login in to Databases and fetch data.

The default log on service account of Self-hosted integration runtime what you see in documentation and steps documented there is to make sure SHIR to start successfully with out any errors. Click here to know more about same. But once SHIR successfully runs we need to make sure our service account should have logon access on local servers to access data from there.

Hope this helps. Please let us know how it goes.


Please consider hitting Accept Answer. Accepted answers helps community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShaikMahee,

Thanks for the answer and your understanding is right. The article your linked only mentions granting 'Log-on-as-service' permission on the SHIR server. Not on the other servers inside the network domain. We use a similiar setup for on-premise SSIS packages (separate service account created for SSIS SQL Agent job) and we don't need to grant these SSIS service accounts 'log-on-as-services' permission on each SQL Server to make them work (only need to grant SSIS service account access at the SQL database level) So error message 'The login is from an untrusted domain and cannot be used with Integrated authentication' only happens when ADF is trying to access the on-prem SQL databases through SHIR.

I want to confirm whether 'logon' permission is really required for ADF Service Account (which is domain AD account) on each on-Prem servers (sql servers/file servers) ADF needs to access.


0 Votes 0 ·

Hi @zhwu-5182 ,

Sorry for the delay in response. You may need them but still to be sure on this I escalated this to internal team to get insights on same. I will share once I here back. Thank you.

0 Votes 0 ·
cthomasberg avatar image cthomasberg ShaikMaheer-MSFT ·

Hi @ShaikMaheer-MSFT ,
Do you have an update on this issue?
Thanks

0 Votes 0 ·