ASP.NET> SqlServer的;信任和授权 [英] ASP.NET > SqlServer; trust and delegation
问题描述
我们有他们的客户都想集成Windows身份验证的系统。
这是一个ASP.NET 3.5应用程序,连接到SQL Server 2005。
该网站的服务器是服务器2003 R2 SP2。
数据库服务器是Server 2003 SP2的(不是R2)。
we have a system where they client wants integrated Windows authentication. This is an ASP.NET 3.5 application, connecting to Sql Server 2005. The web server is Server 2003 R2 SP2. The db server is Server 2003 SP2 (not R2).
在DB服务器,我跑到下面的脚本
In the db server, I ran the following script
exec sp_grantlogin 'myDomain\myUserGroup'
USE myDbName
exec sp_grantdbaccess 'myDomain\myUserGroup'
我有3个用户的Windows用户组myDomain的\\ myUserGroup在现在。所有这三个用户的帐户被标记为信任的委派。在广告中,Web服务器帐户被标记为委派信任。
I have 3 users in the Windows user group 'myDomain\myUserGroup' right now. All three users' accounts are marked as trusted for delegation. The web server account in ADs is marked trusted for delegation.
Web应用程序标记为使用Windows身份验证(所有其他关闭)。
在Web.config有下面几行:
The web application is marked as using Windows authentication (all others turned off). The web.config has the following lines:
<authentication mode="Windows" ></authentication>
<identity impersonate="true" />
<authorization>
<deny users="?"/>
</authorization>
然而,当我尝试连接到与作为用户组中的用户的Web应用程序,我得到的错误:
Yet when i try to connect to the web application with a user which is in the user group, i get the error:
System.Data.SqlClient.SqlException:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
我的连接字符串是从构造这样一个SQL ConnectionStringBuilder建:
My connection string is being built from a Sql ConnectionStringBuilder constructed as such:
ConnectionStringBuilder.DataSource = "MYDBSERVER"
ConnectionStringBuilder.InitialCatalog = "MYDBCATALOG"
ConnectionStringBuilder.IntegratedSecurity = True
如果我狠code允许其中一个帐户在web.config中模仿&LT;身份/ >行它的工作原理。但是,如果我脱下硬codeD帐户,并尝试通过从客户端的机器的身份。我得到的错误。
If i HARD CODE one of the allowed accounts to impersonate on the web.config <identity /> line it works. But if i take off the hard coded account and try to pass the identity from the client's machine. I get the error.
这样看来,我没有正确的东西为多跳集成登录情况进行配置,但我想不出什么。
So it seems that i don't have something configured correctly for the multi-hop integrated login scenario, but i can't figure out what.
在此先感谢!
推荐答案
如果你使用Windows身份验证,然后模拟不流过ASP.NET进程本身。你有两个选择 - 互换基本身份验证,身份或流动,如果你在Win2003的运行或更高版本,可以使用Kerberos和<一个href=\"http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023%5Fimpersonatingbyusingwindowsidentity\"相对=nofollow>一些两轮牛车来冒充当您连接
If you're using Windows authentication then Impersonation doesn't flow past the ASP.NET process itself. You have two options here - swap to Basic Authentication, where Identity flows or, if you're running on Win2003 or later, you can use Kerberos and some hackery to impersonate when you connect
这篇关于ASP.NET&GT; SqlServer的;信任和授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
