集成Windows身份验证与IIS,火狐和SQL Server [英] Integrated Windows Authentication with IIS, Firefox and SQL Server
问题描述
我有一个网站在我的本地运行在IIS上。本网站已设置为只允许集成Windows身份验证目录安全性。这是一个企业内部网的组成部分,需要我们域帐户进行身份验证。
I have a web site running on IIS on my localhost. This web site has directory security set to only allow Integrated Windows Authentication. It is part of an intranet and needs to authenticate by our domain accounts.
我然后连接到具有集成安全= SSPI SQL Server的连接字符串中
I then connect to SQL Server with Integrated Security = SSPI in the connection string.
这正常工作与Microsoft Internet Explorer作为我登录到域,它会自动验证我,我可以看到LOGON_USER是我的域帐户和SQL Server连接字符串的工作就好了。
This works fine with Microsoft Internet Explorer, it automatically authenticates me as I am logged into the domain, and I can see that the logon_user is my domain account, and the SQL Server connection string works just fine.
然而,当我登录使用Firefox,情况就不同了。
However, when I log-in using Firefox, things are different.
首先,我被提示进行身份验证,火狐没有配置为信任本地主机足以自动发送凭据这是很好的,正确的(实际上我知道如何已经引进这种信任,这是没问题的) 。然后我登录,而这又是罚款,只要我输入域帐户的细节,一切都很好。事实上,调试语句或两个显示LOGON_USER仍然是我的域帐户,一切都很好。
Firstly, I am prompted to authenticate, which is fine and correct as Firefox is not configured to trust the localhost enough to automatically send credentials (and indeed I am aware of how to introduce this trust already, this is not the problem). I then login, which again is fine, provided I enter the domain account details everything is fine. Indeed, a debug statement or two show that logon_user is still my domain account and everything is fine.
然而,当我来连接到SQL Server(这是在远程服务器上运行框中,到我的域帐户具有完全系统管理员权限),我收到以下错误:
However, when I come to connect to SQL Server (which is running on a remote server box, to which my domain account has full sysadmin privileges), I get the following error:
Microsoft OLE DB Provider for SQL Server (0x80040E4D)
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
这表明对我来说,什么是错的认证堆栈,出于某种原因,IIS没有运行作为身份验证的帐户,当我验证使用Windows从Firefox的认证。
This indicates to me that something is wrong in the authentication stack, for some reason, IIS is not running as the authenticated account when I authenticate using windows authentication from firefox.
本使用谷歌Chrome浏览器的时候也能正常工作。
This also works fine when using Google Chrome.
有什么建议?
推荐答案
为<一个href=\"http://stackoverflow.com/questions/733237/integrated-windows-authentication-with-iis-firefox-and-sql-server/733313#733313\">noted由庞Gagge ,IIS需要传递的的Kerberos 票到SQL Server。这是足以打破我的谷歌福在正确的方向。
AS noted by Pontus Gagge, IIS needs to pass a Kerberos ticket to SQL Server. That was enough to tip my Google-fu in the right direction.
火狐支持Kerberos,但是,你要告诉它信任发送Kerberos标记过哪些域。
Firefox supports Kerberos, but, you have to tell it which domains it trusts to send the Kerberos tokens too.
- 开启火狐
- 在地址栏中输入:about:config中
- Firefox3.x后来要求你同意,你会谨慎行事。
- 的配置页面加载后,在过滤框中键入:network.negotiate-AUTH
- 双击修改network.negotiate-auth.trusted-URI的单击行,并输入yourdomain.com
- 多个域可以用逗号添加分隔它们,如yourdomain.com,yourotherdomain.com
注意:这是的不的一样 GBN 的<一个href=\"http://stackoverflow.com/questions/733237/integrated-windows-authentication-with-iis-firefox-and-sql-server/733309#733309\">solution刚刚配置火狐不会提示您在登录时输入域帐户的详细信息。
Note: This is not the same as gbn's solution which just configures firefox to not prompt you to enter domain account details on login.
另外,如果你已经尝试通过在当前Firefox会话堆栈进行身份验证,则需要重新启动Firefox这个工作。
Also, if you have already tried to authenticate through the stack in your current Firefox session, you will need to restart Firefox for this to work.
这篇关于集成Windows身份验证与IIS,火狐和SQL Server的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
