获取IIS冒充Windows用户到SQL Server在Intranet环境 [英] Getting IIS to impersonate the windows user to SQL server in an intranet environment
问题描述
我正在开发使用C#和ASP.NET MVC的内部网站上。我有一台机器上的SQL Server和一个单独的机器上运行IIS。我想用户访问内网网站,不提示用户的Internet Explorer发送用户的Windows凭据IIS,然后将这些被传递到SQL Server意味着SQL Server可以看到用户访问数据库。
I am developing an intranet site using C# and ASP.NET MVC. I have SQL Server on one machine and IIS running on a separate machine. I would like a user to visit the intranet site and without prompting the user internet explorer sends the users windows credentials to IIS and these are then passed to sql server meaning sql server can see the user accessing the database.
我知道在Kerberos双跳问题,而正是这种我试图避开。在present我可以让IE通过Windows凭据到IIS和验证罚款。我只是不能让IIS对这些凭据传递到SQL Server,而是请求正在被设置为一个域服务帐户HTU \\ SRV-HTU-IIS。
I am aware of the Kerberos double hop issue and it is this I am trying to get around. At present I can get IE to pass the windows credentials to IIS and authenticate fine. I just cannot get IIS to pass on those credentials to SQL Server and instead the request currently runs under the app pool identity which is set to a domain service account "htu\srv-htu-iis".
我的设置如下:
的Web.Config
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
连接字符串
connection string="data source=hturesbsqlp01;initial catalog=R2_Dev;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework""
IIS身份验证设置
Anonymous Authentication = Disabled
ASP.NET Impersonation = Enabled
Forms Authentication = Disabled
Windows Authentication = Enabled
IIS应用程序池设置
Managed Pipeline = Integrated
Identity = htu\srv-htu-iis (domain service account)
Active Directory中设置
域名服务帐户HTU \\ SRV-HTU-IIS已经有一个服务主体名称一套我们的网站与帐户相关联。
The domain service account htu\srv-htu-iis has had a service principal name set which associates our site with the account.
活动目录
Allow Delagation to any service
SQL Server在其自己的SQL域服务帐户下运行。
SQL Server is running under its own SQL Domain Service account.
测试
我跑到下面的code测试:
I ran the following code tests:
System.Web.HttpContext.Current.User.Identity.Name
这正确返回窗口访问该网站的用户的凭据
this correctly return the windows credentials of the user accessing the site
System.Security.Principal.WindowsIdentity.GetCurrent().Name
返回域服务帐户HTU \\ SRV-HTU-IIS,这是什么样的应用程序池标识下运行。
return the domain service account "htu\srv-htu-iis" which is what the app pool identity is running under.
任何人都可以提供方向的地方,我可能会去错了吗?
Can anyone provide direction as to where I might be going wrong?
推荐答案
好了给任何人参观的未来这个问题。我解决了这个通过重新启动IIS服务...卫生署!看来我的设置被罚款只需要服务的全面启动!
Well to anyone visiting this question in the future. I resolved this by restarting the IIS Service...doh! Seems my settings were fine just need a full restart of the service!
这篇关于获取IIS冒充Windows用户到SQL Server在Intranet环境的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
