-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ActiveDirectoryIntegrated auth in SSMS 19 hits MSAL throttling #1915
Comments
Thanks @shueybubbles for bringing this issue to our attention. It does make sense that we should be caching the token to avoid spamming the auth server. I feel like it's related to the enhancement in #1895 but we'll discuss with the team and take a look at it soon. |
I recommend refactoring auth as part of 6.0, at which point you'll hopefully split the entire AAD provider implementation into its own package. |
We'll look into it. |
Thanks, @shueybubbles, using |
Hi @lcheunglci and @David-Engel - checking in to see if there is an ETA on when this fix might be available in a MDS 3.x that we could pick up for a SSMS 19 hotfix. We have users stating that SSMS is unusable for them, and we have to recommend they revert back to an 18.x build. Thanks in advance for any information! |
… Integrated/Password flows when the account is already cached. Addresses issue dotnet#1915
I'm using v5.1.0 in my ASP.NET project and I'm getting an error about throttling inside a test project that uses "Active Directory Password":
(The api is deployed in Azure and uses "Active Directory Managed Identity" - I haven't noticed an issue there.) Is there an earlier version I can use as a temporary fix? |
afaik the only workaround for an app is to implement I think a fix is coming from sqlclient soon. |
Would adding an explicit reference to Azure.Identity 1.8 work? |
No. MDS uses MSAL.NET, not Azure.Identity for AAD Password/Integrated/Interactive auth. We'll backport the fix for this to other in-support MDS versions. |
* Address throttling of token requests by calling AcquireTokenSilent in Integrated/Password flows when the account is already cached. Addresses issue #1915 Co-authored-by: Lawrence Cheung <[email protected]> Co-authored-by: DavoudEshtehari <[email protected]>
…net#1925) * Address throttling of token requests by calling AcquireTokenSilent in Integrated/Password flows when the account is already cached. Addresses issue dotnet#1915 Co-authored-by: Lawrence Cheung <[email protected]> Co-authored-by: DavoudEshtehari <[email protected]>
Is this not fixed in 3.1.1? |
It's fixed in 3.1.3. |
…net#1925) * Address throttling of token requests by calling AcquireTokenSilent in Integrated/Password flows when the account is already cached. Addresses issue dotnet#1915 Co-authored-by: Lawrence Cheung <[email protected]> Co-authored-by: DavoudEshtehari <[email protected]> # Conflicts: # src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
…net#1925) * Address throttling of token requests by calling AcquireTokenSilent in Integrated/Password flows when the account is already cached. Addresses issue dotnet#1915 Co-authored-by: Lawrence Cheung <[email protected]> Co-authored-by: DavoudEshtehari <[email protected]> # Conflicts: # src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
This has been fixed in 3.1, 4.0, 5.1, and main branches. |
Describe the bug
See https://feedback.azure.com/d365community/idea/b4b0d281-c2a0-ed11-a81b-6045bd8615b0
SSMS creates multiple connections when using Object Explorer. Customers using Active Directory Integrated auth may get blocked by a throttling exception from MSAL.
To reproduce
Use SSMS 19 Object Explorer with Active Directory Integrated
Expected behavior
I'd expect this auth mode to leverage the in-memory cache with
AcquireTokenSilent
to avoid this exceptionAdditional context
Add any other context about the problem here.
Please provide a fix for the 3.1 branch.
The text was updated successfully, but these errors were encountered: