SQL Server or Azure SQL agent fails to authenticate to Azure SQL Database using Azure Active Directory (AAD) (Microsoft Entra Password) Authentication due to "Connection timed out"
The FglAM agent uses the Java Virtual Machine (JVM) for its execution. When the agent attempts to use AAD authentication, the underlying Microsoft JDBC driver needs to reach the Azure AD/Entra ID identity endpoint (login.microsoftonline.com) to get an authentication token.
The "Connection timed out" error occurs because the JVM running the FglAM process is unaware of, or incorrectly configured to use, the corporate Web proxy. As a result, the AAD request cannot leave the FglAM server's network, or the proxy is blocking the required traffic.
The MSAL4J library, being a Java component, cannot automatically detect the Windows-level proxy settings that are successfully used by SSMS. The Java Virtual Machine VM must be explicitly instructed to use the proxy server.
The two applications use different network stacks which are configured via different methods:
| Application / Component | Technology Stack | Proxy Configuration Method |
| SSMS | Microsoft .NET / Windows | Automatic inheritance from Windows system settings (WinInet) or the .NET configuration file (machine.config). |
| SQL Server or Azure SQL agent (MSAL4J) | Java Virtual Machine (JVM) | Explicit configuration via Java System Properties (-DproxyHost} in the baseline.jvmargs.config |
To summarize, SSMS is told by Windows, "use this proxy." Foglight, running in a Java sandbox, is essentially deaf to the Windows setting and attempts a direct connection, which your firewall blocks, leading to a Connection Timeout.
The MSAL4J library needs to perform a secure TLS handshake to login.microsoftonline.com on Port 443 to acquire the authentication token.
When a client wants to connect securely HTTPS through a standard HTTP proxy, it sends a CONNECT request to the proxy server (e.g., CONNECT login.microsoftonline.com:443 HTTP/1.1).
The JVM argument -Dhttps.proxyHost tells the Java runtime to use a proxy for all secure (HTTPS) connections.
The proxy server then opens a tunnel HTTP CONNECT method) through itself to the external HTTPS destination.
If only the -Dhttp.proxyHost parameter is set, Java will only use the proxy for standard (unsecured) web connections. The critical secure connection to Azure AD will attempt to bypass the proxy entirely, leading to a Connection Timed Out error when the firewall blocks it.
Force the Java Virtual Machine ($\text{JVM}$) running the Foglight component (either the Management Server or the Agent Manager) to use your corporate proxy.
Ensure the following parameters are added to the Foglight Agent Manager (FglAM) startup configuration file (e.g., baseline.jvmargs.config).
-Dhttp.proxyHost=proxy.company.com
-Dhttp.proxyPort=8080
-Dhttps.proxyHost=proxy.company.com
-Dhttps.proxyPort=8080
If the proxy requires authentication:
-Dhttp.proxyUser=my_proxy_user
-Dhttp.proxyPassword=mypassword
Note: The -Dhttps.proxyHost and -Dhttps.proxyPort parameters are critical. Without them, the JVM will not route secure HTTPS traffic through the proxy, causing the connection to Azure AD to fail
NTLM Proxy Note: If your environment uses NTLM authentication for the proxy, the basic -D arguments often fail. The most reliable fix in this scenario is to request an exclusion/bypass from your network team to allow the FglAM server to access the Microsoft Entra ID endpoint (login.microsoftonline.com on port 443) without passing through the authenticated proxy.
$proxy = "http://proxy.company.com:8080"
$url = "https://login.microsoftonline.com"
Invoke-WebRequest -Uri $url -UseBasicParsing -Proxy $proxy -TimeoutSec 30
Expected result: A StatusCode of 200 (OK) or 302 (Redirect).
login.microsoftonline.com (required for the authentication token).its-mdm-uat-sql.database.windows.net.https://graph.microsoft.com (if accessing Graph data).-Dhttp.nonProxyHosts="login.microsoftonline.com|login.windows.net|aadcdn.msftauth.net"
login.microsoftonline.comlogin.windows.netaadcdn.msftauth.netThis can be done via PAC files, proxy configuration policies, or firewall rules that exclude these domains from proxy interception.