[英]asp.net via kerberos integrated windows authentication to sql server
Please, can someone PLEASE give a simple, straight-forward way to enable ASP.NET > Kerberos > Sql Server? 请问,有人可以提供一个简单,直接的方式来启用ASP.NET> Kerberos> Sql Server吗?
We have clientMachine > webServer > databaseServer. 我们有clientMachine> webServer> databaseServer。 The client is insistent that the site must pull the windows login and not prompt, hence the need for Kerberos and Integrated Authentication. 客户端坚持认为该站点必须提取Windows登录而不提示,因此需要Kerberos和集成身份验证。 It also MUST impersonate the user onto the db server, inducing a double-hop. 它还必须模拟用户进入数据库服务器,从而产生双跳。
Our domain is a Windows 2003 domain, which as far as I can tell online, means Kerberos is enabled. 我们的域名是Windows 2003域名,据我所知,这意味着Kerberos已启用。 And on a domain-joined computer,when logged in, kerbtray shows me I have a slew of tickets, so it is apparently working. 在加入域的计算机上,当登录时,kerbtray告诉我我有一大堆门票,所以它显然正在工作。
The web and database server computer accounts in AD are both "trusted for delegation". AD中的Web和数据库服务器计算机帐户都“受信任以进行委派”。
The AD user accounts which must access the system are both "trusted for delegation". 必须访问系统的AD用户帐户都“被委托信任”。
When it is all working, I will add more users, for now two is it. 当它全部工作时,我会添加更多用户,现在两个就是它。
The Sql Server instance is running under LocalSystem on the database server, which as near as i can tell online, means it does NOT require messing with those SPN things at all. Sql Server实例在数据库服务器上的LocalSystem下运行,尽管我可以在网上告诉它,但这意味着它根本不需要搞乱这些SPN的东西。
Yet, when i try to log in with either user, i get 然而,当我尝试使用任一用户登录时,我得到了
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
indicating a double-hop failure. 表示双跳失败。 This is furthered by the fact that in the application log on the db server there are a slew of entries from "MSSQL" saying the same thing. 在数据库服务器上的应用程序日志中,有一些来自“MSSQL”的条目说同样的事情,这进一步推动了这一点。
I really can't believe how hard this is... i mean, IIS, SQL and Windows are all Microsoft, can't they talk better??? 我真的不敢相信这有多难......我的意思是,IIS,SQL和Windows都是微软,他们不能说得更好吗???
So in summary, i have 总而言之,我有
Download the Troubleshooting Kerberos Delegation . 下载Kerberos授权疑难解答 。 Its a life saver. 它是一个救生员。
At page 17 you'll find the Active Directory Checklist . 在第17页,您将找到Active Directory清单 。 Follow the checklist step by step. 按照核对表一步一步。
At page 30 you'll find the Client Application Checklist . 在第30页,您将找到客户端应用程序清单 。 Verify the checklist step by step. 逐步验证核对表。
At page 35 is the Middle Tier Checklist . 第35页是中间层清单 。 Verify it step by step. 逐步验证它。
At page 48 is the Back End Checklist . 第48页是后端核对表 。 Verify it step by step. 逐步验证它。
If you still have problems, the document contains a detailed list of troubleshooting tools (kerbtray, klist, ldifde etc), detailed explanation on how to enable logging and auditing of authentication errors in the system event log, detailed explanation of all error codes in the event log entries from the authentication audit and so on and so forth. 如果仍有问题,该文档包含故障排除工具的详细列表(kerbtray,klist,ldifde等),详细说明如何在系统事件日志中启用日志记录和审计身份验证错误,详细解释所有错误代码。来自身份验证审核的事件日志条目,依此类推。
Once you figure out what is wrong, it will be much easier to fix. 一旦弄清楚出了什么问题,修复起来会容易得多。
The answer ultimately DID lie in the SPNs. 答案最终DID在于SPN。
This system was set up on our test site, which is test.ourcompany.com, so i needed to add a new SPN for that reference. 此系统是在我们的测试站点上设置的,即test.ourcompany.com,因此我需要为该参考添加新的SPN。 So in addition to the following: 所以除了以下内容:
HTTP/server
HTTP/server.ourdomain.com
I also needed to add an additional one for: 我还需要添加一个:
HTTP/test.ourcompany.com
Geez, what a battle! 吉兹,真是一场战斗! At least it's over! 至少它结束了! :) :)
Thanks for the help guys! 谢谢你的帮助!
What you are describing should work without issue. 你所描述的应该没有问题。
Your connection string should look like: 您的连接字符串应如下所示:
<add name="IntegratedAuthConnectionString" connectionString=
"Data Source=DATABASEINSTANCE;Integrated Security=True"
providerName="System.Data.SqlClient"/>
Your web.config should also specify windows authentication 您的web.config还应指定Windows身份验证
<authentication mode="Windows"/>
Create a test page which dumps everything from the Request.ServerVariables collection and ensure that you are seeing the authenticated username and domain. 创建一个测试页面,该页面从Request.ServerVariables集合中转储所有内容,并确保您看到经过身份验证的用户名和域。 Something along the lines of the code below 下面的代码行
foreach (string s in Request.ServerVariables)
{
Response.Write(s + ": " + Request.ServerVariables[s] + "<br />");
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.