Windows Authentication for SQL Managed Instance – LsaCreateTrustedDomainEx 0x549

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Windows Authentication for SQL Managed Instance has been released in August 2022.

Windows Authentication for Azure AD principals for SQL Managed Instance is now Generally Available - Microsoft Community Hub

 

One of the two options available to achieve this is “Incoming trust-based authentication flow”.

How to set up Windows Authentication for Azure Active Directory with the incoming trust-based flow - Azure SQL Managed Instance | Microsoft Learn

 

When executing Set-AzureAdKerberosServer command to add the Trusted Domain Object, you may get below error message.

 

Set-AzureAdKerberosServer -Domain $domain `
   -DomainCredential $domainCred `
   -UserPrincipalName $cloudUserName `
   -SetupCloudTrust

 

Error message:

Set-AzureADKerberosServer : LsaCreateTrustedDomainEx 0x549

 

rmaia8_0-1673868902544.png

 

This can happen when running this command on a Child Domain when on a multidomain forest scenario.

 

The solution is running this command on Root Domain. On Child Domain, it is necessary to run same command without the -SetupCloudTrust parameter.

 

As a summary, this is the procedure to create TDO on a multidomain forest :

  • ROOT Domain (include -SetupCloudTrust parameter)

 

Set-AzureAdKerberosServer -Domain $domain `
   -DomainCredential $domainCred `
   -UserPrincipalName $cloudUserName `
   -SetupCloudTrust

 

 

  • CHILD domain (don’t include -SetupCloudTrust parameter)

 

Set-AzureAdKerberosServer -Domain $domain `
   -DomainCredential $domainCred `
   -UserPrincipalName $cloudUserName

 

 

Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.