Kerberos的双跃在ASP.NET 4.0和放大器; SQL2008R2 [英] Kerberos double-hop in ASP.NET 4.0 & SQL2008R2
问题描述
我有一个ASP.NET 4.0应用程序内,我需要的认证转发到数据库。
对于这个请求援助的目的,让我们称之为Web服务器APP1和数据库服务器SQL1。
I have an ASP.NET 4.0 application within which I need to forward the authentication to the database. For the purposes of this request for assistance, lets call the web server "app1" and the database server "sql1".
该SQL2008R2数据库服务正在运行作为下一个自定义的域帐户的SqlServer命名实例SQL2008R2。服务器运行Windows Server 2008 R2企业版。
我已经创建了一个SPN这个...
The SQL2008R2 database service is running as a named instance "SQL2008R2" under a custom domain account "SqlServer". The server is running Windows Server 2008 R2 Enterprise Edition. I have created an SPN for this...
setspn -a MSSQLSvc/sql1.mydomain.local:SQL2008R2 SqlServer
在ASP.NET应用程序中使用自定义的域帐户WebApplicationUser,在综合管道模式下应用程序池中运行。这是目前运行在我的笔记本上运行Windows 7企业版,但最终将在Windows Server 2008 R2标准版上托管。
我创建了2 SPN的应用程序...
The ASP.NET application is running under an application pool using a custom domain account "WebApplicationUser", in Integrated Pipeline mode. It is currently running on my laptop running Windows 7 Enterprise, but will eventually be hosted on Windows Server 2008 R2 Standard Edition. I have created 2 SPN's for the application (on the Windows 7 machine that I am currently running from)...
setspn -a http/app1 WebApplicationUser
setspn -a http/app1.mydomain.local WebApplicationUser
在Active Directory用户和计算机中,我选择了WebApplicationUser帐户,我已经启用约束委派。为MSSQLSvc / sql1.mydomain.local:SQL2008R2使用任何协议(我一直在使用Kerbero也尝试过只)
Within Active Directory users and Computers, I have selected the "WebApplicationUser" account and I have enabled constrained delegation to "MSSQLSvc/sql1.mydomain.local:SQL2008R2" using any protocol (I have also tried using Kerbero only).
的应用是建立在IIS 7.5和身份验证设置为禁止匿名者,基本,摘要和表单,同时使ASP.NET模拟和窗口。在Windows身份验证扩展保护关闭,内核模式身份验证功能。该供应商的顺序被协商和NTLM。
The Application is setup in IIS 7.5 and the authentication is set to disable Anonymouse, Basic, Digest and Forms whilst enabling "ASP.NET Impersonation" and "Windows". The Windows authentication has "Extended protection" turned off and "Kernel-mode authentication" enabled. The providers are "Negotiate" and "NTLM" in that order.
在ASP.NET应用程序使用EF和连接字符串被配置为使用集成的安全...
The ASP.NET application uses EF, and the connection string is configured to use integrated security...
<connectionStrings>
<add name="MyContext"
connectionString="metadata=res://*/Data.MyModel.csdl|res://*/Data.MyModel.ssdl|res://*/Data.MyModel.msl;provider=System.Data.SqlClient;provider connection string="Data Source=sql1.mydomain.local\sql2008r2;Initial Catalog=MyDatabase;Persist Security Info=false;Integrated Security=True;MultipleActiveResultSets=True""
providerName="System.Data.EntityClient" />
</connectionStrings>
我的web配置指定Windows身份验证和模拟,因为我流过使用异步页面,我也启用inpersonation政策...
My web config specifies both Windows authentication and impersonation, since I a using async pages, I have also enabled inpersonation policy flowing...
<runtime>
<alwaysFlowImpersonationPolicy enabled="true" />
</runtime>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
</system.web>
如果我在本地登录(在为web1),并浏览应用程序(使用IE),这一切工作 - 但这并不涉及到我试图解决双跳
If I log on locally (on "web1") and browse to the application (using IE), this all works - but this does not involve the double hop that I am trying to resolve.
如果我登录到另一台机器,然后浏览到使用IE应用程序,或者从使用火狐本地计算机浏览,这并不工作 - 注意:Firefox不提示我的登录详细信息。到数据库的连接失败,登录失败,用户NT AUTHORITY \\ ANONYMOUS登录
If I log on to another machine and then browse to the application using IE, or I browse from the local machine using FireFox, this does not work - note: FireFox does prompt me for the login details. The connection to the database fails with "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
不像很多文章(这里可能是问题的一部分),我没有使用任何自定义code来模拟用户。这是我的理解是,模拟将全线由web.config设置上述应用到应用程序。我要做的一切就是打开连接,然后再次关闭它,当我完成它。
Unlike a lot of the articles (and here might be part of the problem), I am not using any custom code to impersonate the user. It is my understanding that the impersonation will be applied across the board to the application by the web.config settings above. All I do is to open the connection and then close it again when I am finished with it.
我已经很明显错过了一步(或两个),但已经看了所有我能找到(而且已经有很多)的文件,我仍然无法找到该步骤是什么。它没有帮助,我能找到的其实是关系到IIS6和Windows 2003的文档的99%,但原则应该是相同的。
I have obviously missed a step (or two), but having looked at all of the documentation that I can find (and there has been a lot), I still cannot find what that step is. It does not help that 99% of the documentation that I can find is actually related to IIS6 and Windows 2003 but the principles should remain the same.
有没有人在获得这样的配置在Windows 7和/或Windows上工作suceeded Server 2008的?
Has anybody suceeded in getting such a configuration to work on Windows 7 and/or Windows Server 2008?
推荐答案
核对表双跳问题{IIS和SQL Server}
Checklist for Double Hop issues {IIS and SQL Server}
<一个href=\"http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx\">http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx
<一个href=\"http://www.phishthis.com/2009/10/24/how-to-configure-ad-sql-and-iis-for-two-hop-kerberos-authentication-2/\">http://www.phishthis.com/2009/10/24/how-to-configure-ad-sql-and-iis-for-two-hop-kerberos-authentication-2/
http://support.microsoft.com/kb/810572
这篇关于Kerberos的双跃在ASP.NET 4.0和放大器; SQL2008R2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
