在内网环境下让IIS模拟windows用户到SQL服务器 [英] Getting IIS to impersonate the windows user to SQL server in an intranet environment
问题描述
我正在使用 C# 和 ASP.NET MVC 开发一个 Intranet 站点.我在一台机器上有 SQL Server,在另一台机器上运行 IIS.我希望用户访问 Intranet 站点,并且不提示用户 Internet Explorer 将用户 Windows 凭据发送到 IIS,然后将这些凭据传递给 sql server,这意味着 sql server 可以看到用户访问数据库.
I am developing an intranet site using C# and ASP.NET MVC. I have SQL Server on one machine and IIS running on a separate machine. I would like a user to visit the intranet site and without prompting the user internet explorer sends the users windows credentials to IIS and these are then passed to sql server meaning sql server can see the user accessing the database.
我知道 Kerberos 双跳问题,这正是我想要解决的问题.目前我可以让 IE 将 Windows 凭据传递给 IIS 并进行身份验证.我只是无法让 IIS 将这些凭据传递给 SQL Server,而是当前在设置为域服务帐户htusrv-htu-iis"的应用程序池标识下运行请求.
I am aware of the Kerberos double hop issue and it is this I am trying to get around. At present I can get IE to pass the windows credentials to IIS and authenticate fine. I just cannot get IIS to pass on those credentials to SQL Server and instead the request currently runs under the app pool identity which is set to a domain service account "htusrv-htu-iis".
我的设置如下:
Web.Config
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
连接字符串
connection string="data source=hturesbsqlp01;initial catalog=R2_Dev;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework""
IIS 身份验证设置
Anonymous Authentication = Disabled
ASP.NET Impersonation = Enabled
Forms Authentication = Disabled
Windows Authentication = Enabled
IIS 应用程序池设置
Managed Pipeline = Integrated
Identity = htusrv-htu-iis (domain service account)
活动目录设置
域服务帐户 htusrv-htu-iis 设置了服务主体名称,将我们的站点与该帐户相关联.
The domain service account htusrv-htu-iis has had a service principal name set which associates our site with the account.
活动目录有
Allow Delagation to any service
SQL Server 在其自己的 SQL 域服务帐户下运行.
SQL Server is running under its own SQL Domain Service account.
测试
我运行了以下代码测试:
I ran the following code tests:
System.Web.HttpContext.Current.User.Identity.Name
这会正确返回访问该站点的用户的 Windows 凭据
this correctly return the windows credentials of the user accessing the site
System.Security.Principal.WindowsIdentity.GetCurrent().Name
返回域服务帐户htusrv-htu-iis",这是应用程序池标识在其下运行.
return the domain service account "htusrv-htu-iis" which is what the app pool identity is running under.
谁能就我可能出错的地方提供指导?
Can anyone provide direction as to where I might be going wrong?
推荐答案
欢迎以后访问此问题的任何人.我通过重新启动 IIS 服务解决了这个问题...哦!看来我的设置没问题,只是需要完全重启服务!
Well to anyone visiting this question in the future. I resolved this by restarting the IIS Service...doh! Seems my settings were fine just need a full restart of the service!
这篇关于在内网环境下让IIS模拟windows用户到SQL服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
