<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1446583952;
        mso-list-type:hybrid;
        mso-list-template-ids:1939792208 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:1646349929;
        mso-list-type:hybrid;
        mso-list-template-ids:-732904892 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><b>When</b>: Today, 9/16/2022<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>What</b>: UW-IT has enabled Windows Authentication with Azure SQL Managed Instances via the trust-based flow.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>More Info</b>: <o:p></o:p></p>
<p class="MsoNormal">Azure SQL Managed Instances are a platform based solution and represent the future direction for existing Microsoft SQL Servers. Prior to this change, you could only use Azure AD or SQL based authentication with Azure SQL Managed Instances.
 While Azure AD authentication is modern, many existing SQL Servers include Kerberos authentication protocol dependencies such as linked servers or multi-hop Kerberos delegation. Recognizing this key blocker, Microsoft developed Azure AD Kerberos, a cloud-based
 Kerberos service endpoint backed by our Azure AD. Azure AD Kerberos moved to general availability last month. This allows Azure SQL Managed Instances to use traditional Kerberos based scenarios.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There are two possible authentication flows supported for this scenario and UW supports both. Both rely on Azure AD based authentication at the client, which are transformed to Kerberos tokens during the authentication flow. For more about
 how this works, see: <a href="https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-implementation-aad-kerberos?source=recommendations&view=azuresql">
https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-implementation-aad-kerberos?source=recommendations&view=azuresql</a>. Note that because this starts with Azure AD based authentication and that your Azure SQL Managed Instance has an
 Azure AD application identity, you can layer 2FA or other Azure AD conditional access features on top of this solution. Adding 2FA to SQL has been a long desired goal for many at the UW, and this solution provides a path to that. See
<a href="https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/2fa/per-application/">
https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/2fa/per-application/</a> for how to request a per-application 2FA conditional access policy.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo2">Trust-based flow: For more about how to enable your Azure SQL Managed Instance to leverage this new feature using the trust-based flow, see:
<a href="https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-kerberos-managed-instance?view=azuresql">
https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-kerberos-managed-instance?view=azuresql</a>.
<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo2">Modern flow: Most clients at the UW do not meet the minimum requirements for the modern flow, but we recommend it over the trust-based flow, if possible. For more on setting up the
 modern flow, see: <a href="https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup-modern-interactive-flow?view=azuresql">
https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup-modern-interactive-flow?view=azuresql</a>
<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Both flows require a group policy setting. We’ve implemented that setting at the NETID domain level because there is no downside to doing so, and it should eliminate problems getting the correct values in place:<o:p></o:p></p>
<p class="MsoNormal">Default Domain GPO:<o:p></o:p></p>
<p class="MsoNormal">Computer\Administrative Templates\System\Kerberos\Specify KDC proxy servers for Kerberos clients policy setting=Enabled<o:p></o:p></p>
<p class="MsoNormal">Options:<o:p></o:p></p>
<p class="MsoNormal">KERBEROS.MICROSOFTONLINE.COM <https login.microsoftonline.com:443:f6b6dd5b-f02f-441a-99a0-162ac5060bd2/kerberos /><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Brian Arkills<br>
Microsoft Infrastructure service owner<o:p></o:p></p>
<p class="MsoNormal">UW-IT<o:p></o:p></p>
</div>
</body>
</html>