ASP.NET中的模拟和委派(使用SQL Server) [英] Impersonation and delegation (with SQL Server) in ASP.NET

问题描述

我已经编写了一个简单的ASP.NET应用程序，用作简单MSSQL数据库的前端.该应用程序可以通过Internet访问.

I've written a simple ASP.NET application that works as a frontend for a simple MSSQL database. The application is accessible over the Internet.

涉及到两个物理服务器:一个同时运行MSQL Server 2008 R2的WS2008R2 Active Directory域控制器和另一个服务器，即我的应用程序所在的Web服务器(WS2008R2/IIS7.5).

There are two physical servers involved: a WS2008R2 Active Directory domain controller which is also running MSQL Server 2008 R2, and another server, the webserver (WS2008R2/IIS7.5) where my application resides.

我的应用程序"FooPool"的应用程序池具有其自己的AD用户身份，它在"FooUser"下运行. FooUser没有访问SQL Server数据库的任何权限，而是只有我自己的个人用户帐户"MyUser"拥有该权限.

The Application Pool for my application "FooPool" has its own AD User identity it runs under "FooUser". FooUser does not have any permission to access the SQL Server database, instead only my own personal user account "MyUser" has that permission.

这个想法是，尝试访问此Web应用程序首先要使用IIS执行Windows身份验证，然后我的Web应用程序将使用模拟来访问SQL Server数据库.

The idea is that attempts to access this web application first perform Windows Authentication with IIS, my web application then uses Impersonation to access the SQL Server database.

但是我的应用程序无法正常工作.

However my application does not work.

我在不接触SQL Server的情况下测试了该应用程序，只是为了测试模拟，因此我做了Response.Write(WindowsIdentity.GetCurrent(false).Name);正确显示了模拟MyUser而不是FooUser的应用程序.这适用于所有现代浏览器和整个Internet.

I tested the application without it touching SQL Server, just to test impersonation, so I did Response.Write( WindowsIdentity.GetCurrent(false).Name ); which correctly shows the application impersonating MyUser and not acting as FooUser. This works from all modern browsers and across the Internet.

但是，一旦接触到MSSQL Server，我将收到错误消息用户'NT AUTHORITY \ ANONYMOUS LOGON'登录失败."但这不会发生，因为没有用户令牌可用于匿名登录.

But as soon as it touches MSSQL Server I get the error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." but that should not be happening because no user tokens are for Anonymous Logon.

我已经完成作业，并阅读了有关ASP.NET中的委托和模拟的所有信息，并设置了委托:FooUser帐户具有服务主体名称设置(我将SPN设置为任意字符串，是正确吗?)，并在ADUC中标记为要委派.

I've done my homework and read all about Delegation and Impersonation in ASP.NET and I have set up delegation: The FooUser account has a Service Principal Name set-up (I set the SPN to an arbitrary string, is that doing it right?) and is marked for delegation in ADUC.

最后，我的连接字符串启用了SSPI，禁用了连接池，并且网络库设置为"dbmssocn".

Finally, my connection string has SSPI enabled, Connection pooling disabled, and the network library set to "dbmssocn".

我还能忘记什么?

推荐答案

完成委派工作的配置，您必须启用约束委派:

Finishing the Configuration for Delegation to Work you must enable constrained delegation:

1. 打开 Active Directory用户和计算机
2. 找到IIS网站用于Web应用程序池的用户帐户，然后双击它
3. 选择选项:信任此用户以委派给指定的用户
   仅限服务.
4. 确保用户受限于 与MSSQLSvc服务关联的SPN
5. 重新启动IIS

1. Open Active Directory Users and Computers
2. Find the user account that the IIS Web site is using for the web application pool and double-click it
3. Select the option: Trust this user for delegation to specified
   services only.
4. Make sure that the user is constrained to the SPN associated with the MSSQLSvc service
5. Restart IIS

查看全文