与 IIS、Firefox 和 SQL Server 集成的 Windows 身份验证 [英] Integrated Windows Authentication with IIS, Firefox and SQL Server
问题描述
我有一个在本地主机上的 IIS 上运行的网站.该网站将目录安全设置为仅允许集成 Windows 身份验证.它是 Intranet 的一部分,需要通过我们的域帐户进行身份验证.
I have a web site running on IIS on my localhost. This web site has directory security set to only allow Integrated Windows Authentication. It is part of an intranet and needs to authenticate by our domain accounts.
然后我使用连接字符串中的 Integrated Security = SSPI 连接到 SQL Server.
I then connect to SQL Server with Integrated Security = SSPI in the connection string.
这适用于 Microsoft Internet Explorer,它在我登录域时自动对我进行身份验证,并且我可以看到 logon_user 是我的域帐户,并且 SQL Server 连接字符串工作正常.
This works fine with Microsoft Internet Explorer, it automatically authenticates me as I am logged into the domain, and I can see that the logon_user is my domain account, and the SQL Server connection string works just fine.
但是,当我使用 Firefox 登录时,情况就不一样了.
However, when I log-in using Firefox, things are different.
首先,我被提示进行身份验证,这很好而且正确,因为 Firefox 没有配置为足够信任本地主机以自动发送凭据(实际上我已经知道如何引入这种信任,这不是问题).然后我登录,这再次很好,只要我输入域帐户详细信息,一切都很好.事实上,一两个调试语句表明 logon_user 仍然是我的域帐户,一切正常.
Firstly, I am prompted to authenticate, which is fine and correct as Firefox is not configured to trust the localhost enough to automatically send credentials (and indeed I am aware of how to introduce this trust already, this is not the problem). I then login, which again is fine, provided I enter the domain account details everything is fine. Indeed, a debug statement or two show that logon_user is still my domain account and everything is fine.
但是,当我连接到 SQL Server(它在远程服务器上运行,我的域帐户具有完整的 sysadmin 权限)时,出现以下错误:
However, when I come to connect to SQL Server (which is running on a remote server box, to which my domain account has full sysadmin privileges), I get the following error:
Microsoft OLE DB Provider for SQL Server (0x80040E4D)
Login failed for user 'NT AUTHORITYANONYMOUS LOGON'.
这向我表明身份验证堆栈中出现问题,出于某种原因,当我使用来自 firefox 的 Windows 身份验证进行身份验证时,IIS 未作为经过身份验证的帐户运行.
This indicates to me that something is wrong in the authentication stack, for some reason, IIS is not running as the authenticated account when I authenticate using windows authentication from firefox.
这在使用 Google Chrome 时也能正常工作.
This also works fine when using Google Chrome.
有什么建议吗?
推荐答案
AS 由 Pontus Gagge 指出,IIS 需要通过一个
AS noted by Pontus Gagge, IIS needs to pass a Kerberos ticket to SQL Server. That was enough to tip my Google-fu in the right direction.
Firefox 支持 Kerberos,但是,您必须告诉它它也信任哪些域来发送 Kerberos 令牌.
Firefox supports Kerberos, but, you have to tell it which domains it trusts to send the Kerberos tokens too.
- 打开火狐
- 在地址栏中输入:about:config
- Firefox3.x 及更高版本要求您同意谨慎行事.
- 加载配置页面后,在过滤器框中输入:network.negotiate-auth
- 通过双击该行并输入 yourdomain.com 来修改 network.negotiate-auth.trusted-uris
- 可以通过逗号分隔添加多个域,例如 yourdomain.com、yourotherdomain.com
注意:这与gbn不同的 solution 只是配置firefox 不会提示您在登录时输入域帐户详细信息.
Note: This is not the same as gbn's solution which just configures firefox to not prompt you to enter domain account details on login.
此外,如果您已经尝试通过当前 Firefox 会话中的堆栈进行身份验证,则需要重新启动 Firefox 才能使其正常工作.
Also, if you have already tried to authenticate through the stack in your current Firefox session, you will need to restart Firefox for this to work.
这篇关于与 IIS、Firefox 和 SQL Server 集成的 Windows 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
