IIS到SQL Server kerberos auth问题 [英] IIS to SQL Server kerberos auth issues
问题描述
我们有一个第三方产品,允许我们的一些用户通过一个单独的服务器(SvrWeb)上的网站操纵数据库中的数据(我们称之为SvrSQL)。
We have a 3rd party product that allows some of our users to manipulate data in a database (on what we'll call SvrSQL) via a website on a separate server (SvrWeb).
在SvrWeb上,我们为此应用程序设置了一个特定的非默认网站,而不是去 http://SvrWeb.company.com 访问我们使用的网站 http: //application.company.com 解析为SvrWeb,主机标题解析为正确的网站。
On SvrWeb, we have a specific, non-default website setup for this application so instead of going to http://SvrWeb.company.com to get to the website we use http://application.company.com which resolves to SvrWeb and the host headers resolve to the correct website.
还为此站点设置了一个特定的应用程序池,它使用我们称之为company \SrvWeb_iis的Active Directory帐户标识。我们设置允许在此帐户上进行委派,并允许其模拟我们希望它执行的另一次登录。 (我们希望此帐户将登录到网站的人员的AD凭据传递给SQL Server而不是服务帐户。
There is also a specific application pool set up for this site which uses an Active Directory account identity we'll call "company\SrvWeb_iis". We're setup to allow delegation on this account and to allow it to impersonate another login which we want it to do. (we want this account to pass along the AD credentials of the person signed into the website to SQL Server instead of a service account.
我们还为此设置了SPN SrvWeb_iis帐户通过以下命令:
setspn -A HTTP / SrvWeb.company.com SrvWeb_iis
We also set up the SPNs for the SrvWeb_iis account via the following command: setspn -A HTTP/SrvWeb.company.com SrvWeb_iis
该网站启动,但该网站的部分对数据库的调用返回消息:
无法执行数据库查询。
用户'NT AUTHORITY \ANONYMOUS LOGON'登录失败。
The website pulls up, but the section of the website that makes the call to the database returns the message: Cannot execute database query. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
我认为我们已经正确设置了SPN信息,但是当我检查SrvWeb上的安全事件日志时,我看到了我登录的条目,但它似乎是使用NTLM而不是kerberos:
I thought we had the SPN information set up correctly, but when I check the security event log on SrvWeb I see entries of my logging in, but it seems to be using NTLM and not kerberos:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
非常感谢任何有关此设置的想法或文章!
Any ideas or articles that cover this setup in detail would be extremely appreciated!
如果有帮助,我们正在使用SQL Server 20 05,Web和SQL服务器都是Windows 2003。
If it helps, we are using SQL Server 2005, and both the web and SQL servers are Windows 2003.
推荐答案
kerberos失败有几个可能的原因,包括缺乏SPN和复制SPN。
There are several possible reasons for kerberos failures which includes lack of SPN and duplicate SPN as well.
如果SQL在自定义帐户下运行,您还需要为SQL添加SPN。
同时保留请注意,您应该为FQDN添加SPN,这是DNS中的主机(A)条目,而不是CNAME。
If SQL is running under custom account you would need to add SPN for SQL as well.
Also keep in mind, you should be adding SPN for the FQDN which is the host (A) entry in DNS and not a CNAME.
检查NTAuthenticationProviders的值
http://support.microsoft.com/kb/215383
Check the value of NTAuthenticationProviders
http://support.microsoft.com/kb/215383
尝试使用DelegConfig,它会显示其SPN或其他内容时缺少的内容。< br>
http:// www .iis.net / community / default.aspx?tabid = 34& g = 6& i = 1887
Try DelegConfig which would show what is missing if its SPN or something else.
http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887
这篇关于IIS到SQL Server kerberos auth问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
