使用 IIS 应用程序池标识帐户为 SQL Server 2008 配置集成安全性 [英] Configuring Integrated Security using IIS Application Pool Identity accounts for SQL Server 2008
问题描述
我的网站有以下配置:
- 两个 Web 前端(例如机器名称:WFE1 和 WFE2)1 个 SQ
- 一个 SQL Server 数据库集群(例如机器名称:DBCluster)
所有机器都在同一个域(例如 MyDomain)中,运行 Windows 2008 R2 Enterprise 和 SQL Server 2008 R2.
All machines are in the same domain (e.g. MyDomain) running Windows 2008 R2 Enterprise and SQL Server 2008 R2.
我正在部署一个使用应用程序池标识的 Web 应用程序.我已将池命名为 MyWebApp,它转换为名称 [IIS APPPOOLMyWebApp].当我尝试将此用户添加到 SQL Server 时,出现错误:
I am in the process of deploying a web application that uses the Application Pool Identity. I have named the pool MyWebApp, which translates to the name, [IIS APPPOOLMyWebApp]. When I try adding this user to SQL Server I get an error:
未找到 Windows NT 用户或组IIS APPPOOLMyWebApp".再次检查名称.
Windows NT user or group 'IIS APPPOOLMyWebApp' not found. Check the name again.
我用来在 SQL Server 中创建帐户的脚本是:
The script that I have used to create the account in SQL Server is:
创建登录 [IIS APPPOOLMyWebApp]从带有 DEFAULT_DATABASE=[MyDatabase]、DEFAULT_LANGUAGE=[us_english] 的 WINDOWS去吧
CREATE LOGIN [IIS APPPOOLMyWebApp] FROM WINDOWS WITH DEFAULT_DATABASE=[MyDatabase], DEFAULT_LANGUAGE=[us_english] GO
我想问题正在发生,因为 IIS 帐户是 SQL Server 框不可见的本地帐户.
I imagine the problem is occuring because the IIS account is a local account which is not visible to the SQL Server box.
有人能解释一下如何解决这个问题吗?使用域帐户是我唯一的选择,还是我仍然可以让应用程序池帐户工作?
Can someone please shed some light on how this problem can be resolved? Is using a domain account my only option or can I still get the application pool accounts to work?
推荐答案
我想问题正在发生,因为 IIS 帐户是 SQL Server 框不可见的本地帐户.
I imagine the problem is occuring because the IIS account is a local account which is not visible to the SQL Server box.
这正是问题所在.IIS AppPool 帐户仅存在于 Web 服务器上.如果您能够将此帐户添加到 SQL Server,则您将授权一个与 SQL Server在同一台计算机上运行的 IIS AppPool.(我怀疑它可能仍然会失败.)
That's exactly the problem. The IIS AppPool account only exists on the web server. If you were able to add this account to SQL Server, you would be authorizing an IIS AppPool that is running on the same machine as SQL Server. (I suspect it might still fail.)
最安全的解决方案可能是按照您所说的进行 - 在域上创建一个帐户,为该帐户授予对数据库的适当权限,然后使用该帐户的凭据运行 AppPool.
The most secure solution would probably be to do as you say - create an account on the domain, give that account appropriate permissions on the database, and run the AppPool using that account's credentials.
但是,如果您仍然想这样做,您需要授权运行 AppPool 的 计算机 - 即 DOMAINNAMEComputerName$(注意$ 结尾).
However, if you'd still like to do it, you need to authorize the computer that the AppPool is running on - ie, DOMAINNAMEComputerName$ (note the $ at the end).
查看这篇文章了解更多信息信息(特别是标题为访问网络的部分).
Take a look at this article for more information (specifically, the section titled Accessing the Network).
但我认为这是一个坏主意,因为它授权任何作为 NetworkService 运行的程序 访问数据库 - 而不仅仅是您的 Web 应用程序.
I think that's a bad idea, however, because it authorizes any program running as NetworkService to access the database - not just your web applications.
这篇关于使用 IIS 应用程序池标识帐户为 SQL Server 2008 配置集成安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
