为什么不能使用Windows组进行Windows身份验证读取SQL Server数据库表?
[英]Why can't I read a SQL Server database table using a Windows group for Windows authentication?
问题描述
My goal is to provide any user who is a member of the Windows group TestDbAccess read access to [Test].[dbo].[Persons] through a C# application program. 
我的目标是为Windows组TestDbAccess成员中的任何用户提供通过C#应用程序对[Test].[dbo].[Persons]读取权限。
Problem 问题
When I login to computer
C2.foo.govusing adomain admin accountand execute the program (see below), the program reads the database and displays the one record in the grid as expected (so I know the code is OK).当我使用domain admin account登录到计算机C2.foo.gov并执行该程序时(请参见下文),该程序将读取数据库并按预期在网格中显示一条记录(因此我知道代码是可以的)。When I login to computer
C2.foo.govusing thessmith@foo.govaccount and execute the program, I get a SQL Server errorLogin failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]当我使用ssmith@foo.gov帐户登录到计算机C2.foo.gov并执行该程序时,我收到一条SQL Server错误Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx].Login failed for user 'foo\\ssmith'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xx.xx.xxx]。 (Error is inSQL Servererror log)(错误在SQL Server错误日志中)
Why can't I read my SQL Server database table using a Windows group for Windows authentication? 为什么我不能使用Windows组进行Windows身份验证来读取SQL Server数据库表?
Here is what I have: 这是我所拥有的:
All computers, users, and groups are members of the domain foo.gov
所有计算机,用户和组都是foo.gov域的成员 The domain is in a non-connected enclave.
该域位于未连接的区域中。 All firewalls are down. 所有防火墙都关闭了。 SQL Server (default instance) is installed on computer
C1.foo.gov.SQL Server(默认实例)安装在计算机C1.foo.gov。 Has databaseTestwith table[dbo].[persons].有数据库Testwith table[dbo].[persons]。[Test].[dbo].[Persons]has one record.[Test].[dbo].[Persons]有一条记录。 The database was created using a domain admin account that hasServer Rolespublicandsysadmin.该数据库是使用具有Server Rolespublic和sysadmin的域管理员帐户创建的。 HasUser Mappingofdb_ownerandpublicto theTestdatabase.具有db_ownerUser Mapping,并且对Test数据库是public的。SQL Server (default instance) has security login foo\\TestDbAccess.
SQL Server(默认实例)具有安全性登录foo \\ TestDbAccess。 Server Roleispublic.Server Role是public。User mappingisdb_datareaderandpublicfor databaseTest,user=foo\\TestDbAccess,default schema=dbo.User mapping是db_datareader,对于数据库Test是public的,user=foo\\TestDbAccess,default schema=dbo。 Status:Permission to connect to database engine=Grant.状态: Permission to connect to database engine=Grant。Login=EnabledUser
ssmith@foo.govis present inActive Directory Users and Computers用户ssmith@foo.gov存在于Active Directory Users and ComputersGroup
TestDbAccessis present inActive Directory Users and Computers.Active Directory Users and Computers存在组TestDbAccess。 Scope isGlobal.范围是Global。 Type isSecurity类型是Securityssmith@foo.govis a member ofTestDbAccessssmith@foo.gov是其成员TestDbAccess
Code is as follows. 代码如下。
app.config app.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<connectionStrings>
<add name="DbConnectionString"
connectionString="Data Source=C1;Initial Catalog=Test;Integrated Security=True;Trusted_Connection=True;Connection Timeout=10"
providerName="System.Data.SqlClient" />
</connectionStrings>
</configuration>
DatabaseAccess class DatabaseAccess类
using System.Data;
using System.Data.SqlClient;
namespace DbAccessWindowsGroups
{
public static class DatabaseAccess
{
internal static DataTable GetData()
{
DataTable dataTable_TableList = new DataTable
{
TableName = "test"
};
try
{
using (SqlConnection sqlConnection = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["DbConnectionString"].ToString()))
{
using (SqlCommand sqlCommand = new SqlCommand())
{
sqlCommand.Connection = sqlConnection;
sqlCommand.CommandType = CommandType.Text;
sqlCommand.CommandText = "SELECT TOP 1000 [Test].[dbo].[Persons].[iuid], [Test].[dbo].[Persons].[Name] FROM [Test].[dbo].[Persons]";
sqlConnection.Open();
SqlDataReader sqlDataReader = sqlCommand.ExecuteReader();
dataTable_TableList.Load(sqlDataReader);
}
}
}
catch
{
throw;
}
return dataTable_TableList;
}
}
}
Form1 class Form1班
using System;
using System.Data;
using System.Windows.Forms;
namespace DbAccessWindowsGroups
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void Button1_Click(object sender, EventArgs e)
{
try
{
BindingSource bindingSource = new BindingSource();
dataGridView1.DataSource = null;
DataTable dataTable = DatabaseAccess.GetData();
bindingSource.DataSource = dataTable;
dataGridView1.DataSource = bindingSource;
}
catch (Exception ex)
{
Program._DisplayMessage("Error", ex, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
}
1 个解决方案
解决方案1
0 2018-07-17 15:23:17
As it turns out, my code as shown works. 事实证明,我的代码如下所示。 After I posted my question on 7/16, I needed to install Windows updates on computer C1. 在7/16发布问题后,我需要在计算机C1上安装Windows更新。 I did so, restarted C1, then went home. 我这样做了,重新启动C1,然后回家。 When I came back the next morning, I decided to retry running my program on computer C2 using the ssmith@foo.gov login. 第二天早上回来时,我决定尝试使用ssmith@foo.gov登录名在计算机C2上重新运行程序。 It worked. 有效。 So, I have to assume restarting computer C1 and/or letting enough time pass for my Active Directory changes (adding the group TestDbAccess to AD and SQL Server) to propagate did the trick. 因此,我必须假设重新启动计算机C1和/或留出足够的时间进行我的Active Directory更改(将组TestDbAccess添加到AD和SQL Server)来传播该技巧。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.