question

DawidTaciak-2725 avatar image
0 Votes"
DawidTaciak-2725 asked SudhanRoseVictor-4310 commented

Authentication issues after Azure Synapse database restoration

Following accidental deletion of Azure resources our Azure SQL server (hosting Synapse SQL Pool database) has been successfully restored. So far, so good. We got back all data and security objects (users, roles, permissions), however some users experience issues with access to database and getting 18456 (login failed for user '<token-identified principal>') or 10060 (network related or instance-specific) SQL errors. Moreover, when trying to reestablish the user (by removing and adding again) with 'create user [xyz] from external provider' we are getting the following error:
Principal 'xyz' could not be resolved. Error message: 'AADSTS500133: Assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token. Current time: 2021-08-02T12:22:23.8369779Z, expiry time of assertion 2021-08-02T09:09:57.0000000Z.
This is happening when being logged with an original (created prior the incident) Azure Active Directory admin account. Assigning the admin to another AAD account enable us to create new users from external provider, but we would like to know what has actually happened and why we are getting this token-related error with the initial admin account. Error code (reference) doesn't help much. Appreciating some hints.


InvalidAssertion - Assertion is invalid because of various reasons - The token issuer doesn't match the api version within its valid time range -expired -malformed - Refresh token in the assertion is not a primary refresh token.

azure-ad-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CristianSPIRIDON72 avatar image
0 Votes"
CristianSPIRIDON72 answered

Do you need the database resource in order to assign the admin privileges?

Maybe previous account was tied to the old resource.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DawidTaciak-2725 avatar image
1 Vote"
DawidTaciak-2725 answered SudhanRoseVictor-4310 commented

An update: The issue was solved when we paused and resumed the SQL Pool / DW. It seems that there was some desynchronization of tokens.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you Dawid it worked

0 Votes 0 ·