Open Closed

Using Managed identity in the connectionstring #7922


User avatar
0
epieters created
  • ABP Framework version: v8.2 Commercial + SaaS module

  • UI Type: MVC

  • Database System: EF Core (SQL Server)

  • Tiered (for MVC) or Auth Server Separated (for Angular): no

  • Exception message and full stack trace: at System.Data.Common.DbConnectionOptions.GetKeyValuePair(String connectionString, Int32 currentPosition, StringBuilder buffer, Boolean useOdbcRules, String& keyname, String& keyvalue) at System.Data.Common.DbConnectionOptions.ParseInternal(Dictionary2 parsetable, String connectionString, Boolean buildChain, Dictionary2 synonyms, Boolean firstKey) at System.Data.Common.DbConnectionOptions..ctor(String connectionString, Dictionary2 synonyms, Boolean useOdbcRules) at System.Data.Common.DbConnectionStringBuilder.set_ConnectionString(String value) at Microsoft.Data.SqlClient.SqlConnectionStringBuilder..ctor(String connectionString) at Volo.Abp.EntityFrameworkCore.ConnectionStrings.SqlServerConnectionStringChecker.CheckAsync(String connectionString) at Volo.Saas.Host.TenantAppService.CheckConnectionStringAsync(String connectionString) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.Authorization.AuthorizationInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.GlobalFeatures.GlobalFeatureInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.Auditing.AuditingInterceptor.ProceedByLoggingAsync(IAbpMethodInvocation invocation, AbpAuditingOptions options, IAuditingHelper auditingHelper, IAuditLogScope auditLogScope) at Volo.Abp.Auditing.AuditingInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.Validation.ValidationInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at lambda_method11563(Closure, Object) at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.

  • Steps to reproduce the issue: I have my application deployed on an Azure App Service. My App Service Managed Identity is added to the database (ddl_admin, reader & writer) I want one of my tenants on a separate database. I've entered the following connection string: Server=

I'm getting an error: Format of the initialization string does not conform to specification starting at index 136. What am I missing? What are the validations that are done on the connectionstring? I've also tried with Authentication=Active Directory Default.


7 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    HI,

    ABP provider a button to check your connection string

    For connection string format, you can check this https://www.connectionstrings.com/

  • User Avatar
    0
    epieters created

    Hi Li,

    I don't believe you are answering my questions.

    The error is a result of pushing the Check button:

    The content I use is: Server=tcp:XXXXX-europe-1.database.windows.net;Authentication=Active Directory Default; Database=XXXXXX-dev-europe;

    As you might know, www.connectionstrings.com does not give a good example of using System Assigned Managed Identity with SQL Azure

    But on the Microsoft website there are some good instructions on how to setup Managed Identity with App Service. https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cefcore%2Cdotnet#3-modify-your-project

    And I'm using the connectionstring as defined in the example: "Server=tcp:<server-name>.database.windows.net;Authentication=Active Directory Default; Database=<database-name>;"

    So my questions are still:

    • What am I missing?
    • Which validations are done by the ABP Framework (Commercial) that I'm getting an error saying that my connectionstring is not valid? Its seems to come from Volo.Saas.Host.TenantAppService.CheckConnectionStringAsync(String connectionString)

    I would appreciate if you can give this some thoughts.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi

    Here is ABP how to check connection strings https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.EntityFrameworkCore.SqlServer/Volo/Abp/EntityFrameworkCore/ConnectionStrings/SqlServerConnectionStringChecker.cs#L10

    The error is a result of pushing the Check button:

    could you share the full logs? thanks.

  • User Avatar
    0
    epieters created

    Hi,

    We are sending our errors to Azure Application Insights, so we don't have a logfile.

    BUT, it's even more weird: The test actually fails, but when hitting save, the database gets created. So there is definitely something wrong with that connection string check that doesn't take into account valid connectionstrings using Managed Identity syntax.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    it looks like a problem; I will check it. anyway your ticket was refunded.

  • User Avatar
    0
    epieters created

    Hi,

    Is there a specific reason why the initial catalog is replaced by master? in the connectionstring checker? https://github.com/abpframework/abp/blob/b23affb0ed225f020dc7b66aebc208acd71a1c01/framework/src/Volo.Abp.EntityFrameworkCore.SqlServer/Volo/Abp/EntityFrameworkCore/ConnectionStrings/SqlServerConnectionStringChecker.cs#L20-L21

    Managed identities should not have access to master, they are database scoped credentials and only need to have access to the Database (or Initial Catalog) passed in the connectionstring.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Because, at the time, the database does not exist yet(maybe), so we change it to master

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11