远程服务模拟说用户'NT Authority \Anonymous Logon'登录失败, [英] Impersonation on remote service says Login failed for user 'NT Authority\Anonymous Logon'
问题描述
我要访问数据库时,我想访问数据库的
使用呼叫身份的凭证,我想的服务。
I have a service that I want to when accessing databases I want to access databases to use the calling identities credentials.
在我访问特定数据库我用
Before I access a particular database I do an impersonation by
var winId = HttpContext.Current.User.Identity as WindowsIdentity;
var ctx = winId.Impersonate();
//Access Database
ctx.Undo();
在服务我的电脑上本地运行此方案正常工作。另一个远程PC上部署然而,当我得到的错误:
This scenario works fine when the service runs locally on my PC. However when deployed on another remote PC I get the error:
用户登录失败'NT Authority\Anonymous登录
Login failed for user 'NT Authority\Anonymous Logon"
只要它试图访问数据库。
as soon as it tries to access the database.
有人告诉我,由DBAdmin在SQL Server有一个SPN。
I have been told by DBAdmin that the SQL Server has an SPN.
在该服务下运行的帐户是一个域帐户。
The account under which the service runs under is a domain account.
推荐答案
您最有可能遇到的问题是代表团
,而不是模拟
。
The problem you most likely experiencing is Delegation
as opposed Impersonation
.
我假设在生产环境中你确实有你的Web浏览器,IIS服务器和SQL Server都在不同的机器上。
I assume in your production environment you actually have your Web Browser, your IIS Server and SQL Server are all on different machines.
简单的模拟不支持多跳
。
要支持多-Hop
你需要设置的Kerberos
与代表团
,你将不得不设置在在
。一旦做到这一点,还需要启用 SPN
记录的Active Directory Delgation
有关广告的IIS机器。
To support Multi-Hop
you need to setup Kerberos
with Delegation
. You are going to have to setup the SPN
records on your Active Directory
. Once that is done, you also need to enable Delgation
for the IIS machine on your AD.
在短,代表团是蠕虫的一个巨大的可以。
In short, Delegation is a HUGE can of worms.
这篇关于远程服务模拟说用户'NT Authority \Anonymous Logon'登录失败,的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!