试图使用模拟和委派连接到SQL Server的ASP.Net Web应用程序 [英] ASP.Net web application trying to use Impersonation and Delegation to connect to SQL Server

问题描述

我试图在Intranet ASP.Net Web应用程序中使用模拟和委派，以便将经过身份验证的用户的凭据传递到SQL Server.

I'm trying to use Impersonation and Delegation in an intranet ASP.Net web-app in order to pass authenticated users' credentials onto a SQL Server.

Web服务器和SQL Server是两台单独的计算机，但是在同一域中，因此需要委派.

The web server and SQL server are two separate machines, but in the same domain, so Delegation is required.

我已完成以下操作:

在我的Web应用程序的web.config中
• 设置<authentication mode="Windows"/>和<identity impersonate="true"/>.
• 在Active Directory中启用了从Web服务器到SQL Server上的MSSQLSvc服务的约束委派.
• 通过IIS在网站上仅启用Windows身份验证.

• set <authentication mode="Windows"/> and <identity impersonate="true"/> in my web-app's web.config.
• enabled Constrained Delegation from the web server to the MSSQLSvc service on the SQL Server, in Active Directory.
• enabled only Windows Authentication in the website, through IIS.

显然这应该可以，但是不能(SQL Server拒绝对匿名用户的访问-用户'NT AUTHORITY \ ANONYMOUS LOGON'登录失败").

Apparently this should all work, but it doesn't (the SQL Server is denying access to the anonymous user - "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'").

在IIS7中，应用程序池"设置为使用集成Pipleline模式"，并与NetworkService Identity一起运行.该网站仅启用了Windows身份验证，扩展保护已关闭，内核模式身份验证已启用，并且NTLM是提供程序.

In IIS7, the Application Pool is set to use Integrated Pipleline Mode and is running with the NetworkService Identity. The website only has Windows Authentication enabled, Extended Protection is Off, Kernel-mode authentication is enabled, and NTLM is the provider.

我阅读的所有网页似乎都表明我的设置应该可以正常工作.我想念什么?

All the web pages I've read seem to indicate that my setup should work. What am I missing?

推荐答案

我找到了答案:

IIS7中的Windows身份验证提供程序必须设置为 Negotiate:Kerberos ，而不是NTLM.这意味着必须禁用内核模式身份验证设置.这似乎很好.我想说的很对，在使用自定义身份(即一个特定身份)时需要内核模式身份验证.委托可以使用任意数量的身份.一切都很好.

The Windows Authentication provider in IIS7 must be set to Negotiate:Kerberos, not NTLM. This means that the Kernel-mode authentication setting must be disabled. This seems to be fine. I think I'm right in saying that Kernel-mode authentication is required when using a custom identity, i.e. one specific identity. Delegation can use an arbitrary number of identities. So all is well.

我写了一个博客文章对此也有更详细的说明.

I've written a blog post about this too, which goes into a bit more detail.

这篇关于试图使用模拟和委派连接到SQL Server的ASP.Net Web应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！