简体繁体 English

使用Windows身份验证登录到SQL Server

[英]using windows authentication to log in to a sql server

原文 2010-06-04 16:24:52 4 3 c#/ asp.net/ sql-server

I have a web application set up on our intranet that uses windows authentication (successfully) that I am trying to link to a database running on a separate server. 我在Intranet上设置了一个Web应用程序，该应用程序使用Windows身份验证（成功），该应用程序试图链接到在单独服务器上运行的数据库。

The problem that I am having however, is that when I try to use a trusted connection to log in to the sql server, instead of passing the domain/username of the person using the website the application is passing NT AUTHORITY\\ANONYMOUS LOGON. 但是，我遇到的问题是，当我尝试使用受信任的连接登录sql服务器时，应用程序没有通过该网站传递用户的域名/用户名，而是传递了NT AUTHORITY \\ ANONYMOUS LOGON。

I checked that the authentication was working by having the website display a greeting that does identify my username correctly when I log on to the site, so it isn't an anonymous access issue. 我通过让网站显示一个问候语来验证身份验证是否有效，该问候语在我登录到该网站时可以正确识别我的用户名，因此这不是匿名访问问题。 I think it is an impersonation issue somehow despite the fact that set in the web.config file for the application. 尽管在应用程序的web.config文件中进行了设置，但我认为这是一个模拟问题。

Curiously, the web application works fine when I run it on either my dev machine or even locally through remote desktop on the production server. 奇怪的是，当我在开发机器上甚至通过生产服务器上的远程桌面在本地运行Web应用程序时，它都能正常运行。 I'm not sure what's going on here. 我不确定这是怎么回事。

Finally, I'm running iis 7.5, windows server 2008 r2 and sql server 2008 最后，我正在运行IIS 7.5，Windows Server 2008 R2和SQL Server 2008

3 个解决方案

This is called Constrained Delegation . 这称为约束委派。 Basically what that means is that an impersonated context by default cannot be delegated to authenticate with a resource on the network. 基本上，这意味着默认情况下无法将模拟的上下文委派给网络上的资源进行身份验证。 If constrained delegation would not be in place anyone could create a web site in the enterprise and expose some benign application. 如果没有适当的委派，任何人都可以在企业中创建一个网站并公开一些良性应用程序。 But underneath, once the user authenticated with the site, it could impersonate that user to do anything , like read his mail, sale stock on his behalf, give raises to site developer, *anything. 但是在下面，一旦用户对网站进行了身份验证，它就可以冒充该用户执行任何操作 ，例如阅读他的邮件，代其出售股票，为网站开发人员加薪。 This is why impersonated contexts are not trusted outside the machine that impersonated the user. 这就是为什么在模拟用户的计算机外部不信任模拟上下文。

To allow an impersonated context to connect to a remote resource (like a file share, or a database server) the domain administrator has to explicitly set up Constrained Delegation, which allows the impersonated context to authenticate with one specific resource. 为了允许模拟的上下文连接到远程资源（例如文件共享或数据库服务器），域管理员必须显式设置约束委派，这允许模拟的上下文使用一个特定资源进行身份验证。

There are numerous articles describing the problem and the solution: 有许多文章描述了问题和解决方案：

it is a known behavior called double-hop issue. 这是一种称为双跳问题的已知行为。 See http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx 参见http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx

If your web application tries to access your database it does it with the account under which the IIS w3wp.exe process is running (networkservice by default). 如果您的Web应用程序尝试访问数据库，它将使用运行IIS w3wp.exe进程的帐户（默认情况下为networkservice）来执行此操作。 If you want to change this, you will need to use impersonation. 如果要更改此设置，则需要使用模拟。

This document explains it pretty good. 该文档对其进行了很好的解释。

As the document also explains depending on your application, you might want to use trusted subsystem instead of impersonation. 正如该文档还根据您的应用程序说明的那样，您可能希望使用受信任的子系统而不是模拟。