IIS7.5身份验证到Sql Server 2008 r2登录
[英]IIS7.5 authentication to Sql Server 2008 r2 Login
问题描述
I have what I thought would have been a pretty normal scenario... 
我有一种正常的情况...
I have a -WCF Client -WCF service hosted in AppFarbic within IIS7.5 -SQL Server 2008 r2 我在IIS7.5 -SQL Server 2008 r2的AppFarbic中托管了-WCF客户端-WCF服务
IIS is running using the App Pool Identity IIS正在使用应用程序池标识运行
I am connecting from the client using the following config file 我正在使用以下配置文件从客户端进行连接
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<client>
<endpoint
name="NetTcpBinding_IXXXService"
address="net.tcp://app02.xx.com/XXXService/XXXService.svc"
binding="netTcpBinding"
contract="XXXClient.IXXXService">
<identity>
<servicePrincipalName value="host/app02.xx.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
IIS is running using the application pool identity. IIS正在使用应用程序池标识运行。
I can get the service to connect to the database if I create a \\$ login. 如果创建\\ $登录名,则可以使该服务连接到数据库。
When using the application pool identity is this the only way of connecting to the database using Windows authentication? 使用应用程序池标识时,这是使用Windows身份验证连接到数据库的唯一方法吗?
I presume this is allowing the Network Service account on this machine to access the database. 我认为这是允许该计算机上的网络服务帐户访问数据库。 I also presume that this also means any service running as network can access the database? 我还假定这还意味着以网络运行的任何服务都可以访问数据库?
Is there any of way of tying the application pool identity to the database login? 有什么方法可以将应用程序池标识与数据库登录相关联?
EDIT: When I change the user of the App Pool to be another user with access to the database I get an SSPI failed error 编辑:当我将应用程序池的用户更改为另一个具有数据库访问权限的用户时,出现SSPI失败错误
1 个解决方案
解决方案1
1 2011-05-22 04:26:30
Please forgive me for taking a stab at this when I am not familiar with WCF or AppFarbic. 当我不熟悉WCF或AppFarbic时,请原谅我这样做。 Though I do know a little about IIS and authentication to SQL server on different server. 虽然我确实了解IIS和不同服务器上对SQL Server的身份验证。
- Can you connect to the database if you use username-based security with a password? 如果您使用基于用户名的安全性和密码,是否可以连接到数据库?
- What authentication method are you using on the web site? 您在网站上使用哪种身份验证方法?
- If you are trying to use integrated Windows authentication and your web authentication method is also integrated, then you have to use Kerberos security in IIS to allow delegation for the "second hop" over the network to the SQL server. 如果您尝试使用集成的Windows身份验证,并且您的Web身份验证方法也已集成,则必须在IIS中使用Kerberos安全性,以允许通过网络将“第二跳”委派给SQL Server。 Regular NT security is not enough because it can only do impersonation, which doesn't allow this. 常规的NT安全性还不够,因为它只能进行模拟,而这不能这样做。 Getting delegation to work can be a pain in the butt, but you have to examine the SPN you're using and make sure it's properly registered on the SQL server, plus mess around with IIS to make sure that Kerberos is enabled and actually working instead of it silently slipping back to NTLM. 让委派工作可能会很麻烦,但是您必须检查所使用的SPN,并确保已在SQL Server上正确注册它,再加上IIS,以确保启用了Kerberos并可以正常工作它默默地滑回NTLM。 The web server also has to be "trusted for delegation" in the domain group policy (assuming your web server is joined to a domain). 还必须在域组策略中“信任Web服务器以进行委派”(假设您的Web服务器已加入域)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.