远程服务模拟说用户'NT Authority \Anonymous Logon'登录失败, [英] Impersonation on remote service says Login failed for user 'NT Authority\Anonymous Logon'
问题描述
我要访问数据库时,我想访问数据库的
使用呼叫身份的凭证,我想的服务。
I have a service that I want to when accessing databases I want to access databases to use the calling identities credentials.
在我访问特定数据库我用
Before I access a particular database I do an impersonation by
var winId = HttpContext.Current.User.Identity as WindowsIdentity;
var ctx = winId.Impersonate();
//Access Database
ctx.Undo();
在服务我的电脑上本地运行此方案正常工作。另一个远程PC上部署然而,当我得到的错误:
This scenario works fine when the service runs locally on my PC. However when deployed on another remote PC I get the error:
用户登录失败'NT Authority\Anonymous登录
Login failed for user 'NT Authority\Anonymous Logon"
只要它试图访问数据库。
as soon as it tries to access the database.
有人告诉我,由DBAdmin在SQL Server有一个SPN。
I have been told by DBAdmin that the SQL Server has an SPN.
在该服务下运行的帐户是一个域帐户。
The account under which the service runs under is a domain account.
推荐答案
您最有可能遇到的问题是代表团,而不是模拟。
The problem you most likely experiencing is Delegation as opposed Impersonation.
我假设在生产环境中你确实有你的Web浏览器,IIS服务器和SQL Server都在不同的机器上。
I assume in your production environment you actually have your Web Browser, your IIS Server and SQL Server are all on different machines.
简单的模拟不支持多跳。
要支持多-Hop 你需要设置的Kerberos 与代表团,你将不得不设置在在。一旦做到这一点,还需要启用 SPN 记录的Active Directory Delgation 有关广告的IIS机器。
To support Multi-Hop you need to setup Kerberos with Delegation. You are going to have to setup the SPN records on your Active Directory. Once that is done, you also need to enable Delgation for the IIS machine on your AD.
在短,代表团是蠕虫的一个巨大的可以。
In short, Delegation is a HUGE can of worms.
这篇关于远程服务模拟说用户'NT Authority \Anonymous Logon'登录失败,的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
