让IIS在Intranet环境中模拟Windows用户到SQL服务器
[英]Getting IIS to impersonate the windows user to SQL server in an intranet environment
问题描述
I am developing an intranet site using C# and ASP.NET MVC. 
我正在使用C#和ASP.NET MVC开发一个Intranet站点。 I have SQL Server on one machine and IIS running on a separate machine. 我在一台机器上安装了SQL Server,而在另一台机器上运行IIS。 I would like a user to visit the intranet site and without prompting the user internet explorer sends the users windows credentials to IIS and these are then passed to sql server meaning sql server can see the user accessing the database. 我希望用户访问Intranet站点,而不提示用户Internet Explorer将用户Windows凭据发送到IIS,然后将这些凭据传递给sql server,这意味着sql server可以看到用户访问数据库。
I am aware of the Kerberos double hop issue and it is this I am trying to get around. 我知道Kerberos双跳问题,我正试图绕过这个问题。 At present I can get IE to pass the windows credentials to IIS and authenticate fine. 目前我可以让IE将Windows凭据传递给IIS并进行身份验证。 I just cannot get IIS to pass on those credentials to SQL Server and instead the request currently runs under the app pool identity which is set to a domain service account "htu\\srv-htu-iis". 我只是无法让IIS将这些凭据传递给SQL Server,而是当前在应用程序池标识下运行请求,该标识设置为域服务帐户“htu \\ srv-htu-iis”。
My setup is as follows: 我的设置如下:
Web.Config Web.Config中
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
Connection String 连接字符串
connection string="data source=hturesbsqlp01;initial catalog=R2_Dev;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework""
IIS Authentication Settings IIS身份验证设置
Anonymous Authentication = Disabled
ASP.NET Impersonation = Enabled
Forms Authentication = Disabled
Windows Authentication = Enabled
IIS App Pool Settings IIS应用程序池设置
Managed Pipeline = Integrated
Identity = htu\srv-htu-iis (domain service account)
Active Directory Settings Active Directory设置
The domain service account htu\\srv-htu-iis has had a service principal name set which associates our site with the account. 域服务帐户htu \\ srv-htu-iis已设置服务主体名称,该名称将我们的站点与帐户相关联。
Active directory has 活动目录有
Allow Delagation to any service
SQL Server is running under its own SQL Domain Service account. SQL Server在其自己的SQL域服务帐户下运行。
Tests 测试
I ran the following code tests: 我运行了以下代码测试:
System.Web.HttpContext.Current.User.Identity.Name
this correctly return the windows credentials of the user accessing the site 这正确地返回访问该站点的用户的Windows凭据
System.Security.Principal.WindowsIdentity.GetCurrent().Name
return the domain service account "htu\\srv-htu-iis" which is what the app pool identity is running under. 返回域服务帐户“htu \\ srv-htu-iis”,这是运行应用程序池标识的内容。
Can anyone provide direction as to where I might be going wrong? 任何人都可以提供我可能出错的方向吗?
1 个解决方案
解决方案1
15 已采纳 2014-02-20 13:38:09
Well to anyone visiting this question in the future. 那么将来访问这个问题的任何人都可以。 I resolved this by restarting the IIS Service...doh! 我通过重新启动IIS服务解决了这个问题... doh! Seems my settings were fine just need a full restart of the service! 似乎我的设置很好只需要完全重启服务!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.