[英]Why can't I read a SQL Server database table using a Windows group for Windows authentication?
My goal is to provide any user who is a member of the Windows group TestDbAccess
read access to [Test].[dbo].[Persons]
through a C# application program. 我的目标是为Windows组
TestDbAccess
成员中的任何用户提供通过C#应用程序对[Test].[dbo].[Persons]
读取权限。
Problem 问题
When I login to computer C2.foo.gov
using a domain admin account
and execute the program (see below), the program reads the database and displays the one record in the grid as expected (so I know the code is OK). 当我使用
domain admin account
登录到计算机C2.foo.gov
并执行该程序时(请参见下文),该程序将读取数据库并按预期在网格中显示一条记录(因此我知道代码是可以的)。
When I login to computer C2.foo.gov
using the ssmith@foo.gov
account and execute the program, I get a SQL Server error Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]
当我使用
ssmith@foo.gov
帐户登录到计算机C2.foo.gov
并执行该程序时,我收到一条SQL Server错误Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]
Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]
Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]
. Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]
。 (Error is in SQL Server
error log) (错误在
SQL Server
错误日志中)
Why can't I read my SQL Server database table using a Windows group for Windows authentication? 为什么我不能使用Windows组进行Windows身份验证来读取SQL Server数据库表?
Here is what I have: 这是我所拥有的:
All computers, users, and groups are members of the domain foo.gov 所有计算机,用户和组都是foo.gov域的成员
The domain is in a non-connected enclave. 该域位于未连接的区域中。 All firewalls are down.
所有防火墙都关闭了。
SQL Server (default instance) is installed on computer C1.foo.gov
. SQL Server(默认实例)安装在计算机
C1.foo.gov
。 Has database Test
with table [dbo].[persons]
. 有数据库
Test
with table [dbo].[persons]
。 [Test].[dbo].[Persons]
has one record. [Test].[dbo].[Persons]
有一条记录。 The database was created using a domain admin account that has Server Roles
public
and sysadmin
. 该数据库是使用具有
Server Roles
public
和sysadmin
的域管理员帐户创建的。 Has User Mapping
of db_owner
and public
to the Test
database. 具有
db_owner
User Mapping
,并且对Test
数据库是public
的。
SQL Server (default instance) has security login foo\\TestDbAccess. SQL Server(默认实例)具有安全性登录foo \\ TestDbAccess。
Server Role
is public
. Server Role
是public
。 User mapping
is db_datareader
and public
for database Test
, user
= foo\\TestDbAccess
, default schema
= dbo
. User mapping
是db_datareader
,对于数据库Test
是public
的, user
= foo\\TestDbAccess
, default schema
= dbo
。 Status: Permission to connect to database engine=Grant
. 状态:
Permission to connect to database engine=Grant
。 Login=Enabled
User ssmith@foo.gov
is present in Active Directory Users and Computers
用户
ssmith@foo.gov
存在于Active Directory Users and Computers
Group TestDbAccess
is present in Active Directory Users and Computers
. Active Directory Users and Computers
存在组TestDbAccess
。 Scope is Global
. 范围是
Global
。 Type is Security
类型是
Security
ssmith@foo.gov
is a member of TestDbAccess
ssmith@foo.gov
是其成员TestDbAccess
Code is as follows. 代码如下。
app.config app.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<connectionStrings>
<add name="DbConnectionString"
connectionString="Data Source=C1;Initial Catalog=Test;Integrated Security=True;Trusted_Connection=True;Connection Timeout=10"
providerName="System.Data.SqlClient" />
</connectionStrings>
</configuration>
DatabaseAccess class DatabaseAccess类
using System.Data;
using System.Data.SqlClient;
namespace DbAccessWindowsGroups
{
public static class DatabaseAccess
{
internal static DataTable GetData()
{
DataTable dataTable_TableList = new DataTable
{
TableName = "test"
};
try
{
using (SqlConnection sqlConnection = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["DbConnectionString"].ToString()))
{
using (SqlCommand sqlCommand = new SqlCommand())
{
sqlCommand.Connection = sqlConnection;
sqlCommand.CommandType = CommandType.Text;
sqlCommand.CommandText = "SELECT TOP 1000 [Test].[dbo].[Persons].[iuid], [Test].[dbo].[Persons].[Name] FROM [Test].[dbo].[Persons]";
sqlConnection.Open();
SqlDataReader sqlDataReader = sqlCommand.ExecuteReader();
dataTable_TableList.Load(sqlDataReader);
}
}
}
catch
{
throw;
}
return dataTable_TableList;
}
}
}
Form1 class Form1班
using System;
using System.Data;
using System.Windows.Forms;
namespace DbAccessWindowsGroups
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void Button1_Click(object sender, EventArgs e)
{
try
{
BindingSource bindingSource = new BindingSource();
dataGridView1.DataSource = null;
DataTable dataTable = DatabaseAccess.GetData();
bindingSource.DataSource = dataTable;
dataGridView1.DataSource = bindingSource;
}
catch (Exception ex)
{
Program._DisplayMessage("Error", ex, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
}
As it turns out, my code as shown works. 事实证明,我的代码如下所示。 After I posted my question on 7/16, I needed to install Windows updates on computer C1.
在7/16发布问题后,我需要在计算机C1上安装Windows更新。 I did so, restarted C1, then went home.
我这样做了,重新启动C1,然后回家。 When I came back the next morning, I decided to retry running my program on computer C2 using the ssmith@foo.gov login.
第二天早上回来时,我决定尝试使用ssmith@foo.gov登录名在计算机C2上重新运行程序。 It worked.
有效。 So, I have to assume restarting computer C1 and/or letting enough time pass for my Active Directory changes (adding the group TestDbAccess to AD and SQL Server) to propagate did the trick.
因此,我必须假设重新启动计算机C1和/或留出足够的时间进行我的Active Directory更改(将组TestDbAccess添加到AD和SQL Server)来传播该技巧。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.