Enum SqlServerAuthenticationMethod
- Namespace
- YndigoBlue.Velocity.Data.SqlServer
- Assembly
- YndigoBlue.Velocity.dll
Specifies the authentication mechanism used when connecting to Microsoft SQL Server
with integrated or Azure Active Directory authentication
(UseIntegratedSecurity = true).
public enum SqlServerAuthenticationMethodFields
WindowsIntegrated = 0Windows Integrated Authentication (Kerberos / NTLM via SSPI). Maps to
Integrated Security=SSPIin the connection string. The current Windows user's identity is forwarded to SQL Server without a password. The SQL Server instance must be configured to accept Windows Authentication, and the client machine must be domain-joined or on a trusted domain. Windows only.ActiveDirectoryPassword = 1Azure Active Directory password authentication. Maps to
Authentication=ActiveDirectoryPassword. Authenticates using an AAD username and password. Username and Password must be set. The Azure SQL server must have AAD authentication enabled.ActiveDirectoryIntegrated = 2Azure Active Directory integrated authentication using cached Windows credentials. Maps to
Authentication=ActiveDirectoryIntegrated. Uses the Windows user's existing AAD token obtained via SSPI/Kerberos. No password is required. The client machine must be AAD-joined or hybrid-joined to Active Directory. Windows only.ActiveDirectoryInteractive = 3Azure Active Directory interactive authentication (multi-factor / browser-based). Maps to
Authentication=ActiveDirectoryInteractive. Launches an interactive login prompt (including MFA challenges) when connecting. Requires a user-interactive desktop session and is not suitable for unattended or service connections.ActiveDirectoryManagedIdentity = 4Azure Managed Identity authentication. Maps to
Authentication=ActiveDirectoryManagedIdentity. Uses the system- or user-assigned Managed Identity attached to the hosting Azure resource (VM, App Service, Azure Functions, etc.). No username or password is required. The identity must be granted access to the Azure SQL server in AAD.ActiveDirectoryServicePrincipal = 5Azure Active Directory service principal (application) authentication. Maps to
Authentication=ActiveDirectoryServicePrincipal. Authenticates as an AAD application registration. Supply the application Client ID as Username and the client secret as Password. The service principal must be granted access to the Azure SQL server.ActiveDirectoryDefault = 6Azure Active Directory default credential chain. Maps to
Authentication=ActiveDirectoryDefault. Tries multiple credential providers in order: environment variables, workload identity, managed identity, Visual Studio, Azure CLI, Azure PowerShell, and interactive browser. Provides a single code path that works in both development (Azure CLI / VS credentials) and production (managed identity) without code changes.ActiveDirectoryWorkloadIdentity = 7Azure Workload Identity authentication for Kubernetes workloads. Maps to
Authentication=ActiveDirectoryWorkloadIdentity. Uses a federated token projected into the pod or container by the Azure AD Workload Identity webhook (AKS). Requires the environment variablesAZURE_CLIENT_ID,AZURE_TENANT_ID, andAZURE_FEDERATED_TOKEN_FILEto be set by the webhook. No password is used.
Remarks
When UseIntegratedSecurity is
true, Velocity omits User ID and Password from the connection string and
uses the selected mechanism for identity resolution.
On-premises vs Azure: WindowsIntegrated targets on-premises SQL
Server (and SQL Server on Azure VM) using Windows NTLM/Kerberos via SSPI. All
ActiveDirectory* values target Azure SQL Database / Azure SQL Managed Instance and
require the SQL Server to be registered with Azure Active Directory (Entra ID).
| Value | Connection string keyword | External requirement |
|---|---|---|
| WindowsIntegrated | Integrated Security=SSPI | Windows domain membership; SQL Server must accept Windows Authentication |
| ActiveDirectoryPassword | Authentication=ActiveDirectoryPassword | AAD user account; Azure SQL with AAD authentication enabled; Username + Password required |
| ActiveDirectoryIntegrated | Authentication=ActiveDirectoryIntegrated | AAD-joined or hybrid-joined Windows machine; cached Windows + AAD credentials |
| ActiveDirectoryInteractive | Authentication=ActiveDirectoryInteractive | Interactive user session; prompts for MFA; not suitable for unattended connections |
| ActiveDirectoryManagedIdentity | Authentication=ActiveDirectoryManagedIdentity | Azure resource with system- or user-assigned Managed Identity; no credentials |
| ActiveDirectoryServicePrincipal | Authentication=ActiveDirectoryServicePrincipal | AAD application registration; Client ID as Username, client secret as Password |
| ActiveDirectoryDefault | Authentication=ActiveDirectoryDefault | Tries env variables, workload identity, managed identity, CLI, and interactive browser in order |
| ActiveDirectoryWorkloadIdentity | Authentication=ActiveDirectoryWorkloadIdentity | AKS pod with Azure AD Workload Identity webhook; AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE env vars |