[英]Setting up SPN to access SQL Server 2008 as original user from IIS7
I'm totally confused by SPN's and exactly what I need to do. 我对SPN和我需要做的事情完全感到困惑。 Basically I have a webserver running on a domain EUR and I want to access different MSSQL servers using windows authentication and impersonation as the user viewing the webpage. 基本上,我有一个在域EUR上运行的Web服务器,并且我希望在用户查看网页时使用Windows身份验证和模拟访问不同的MSSQL服务器。
I have setup the webserver to use windows authentication and impersonation and it works fine with the local MSSQL instance on the webserver but not on any others on the EUR domain. 我已将Web服务器设置为使用Windows身份验证和模拟,并且可以与Web服务器上的本地MSSQL实例正常工作,但不能与EUR域上的任何其他MSSQL实例正常工作。 I get an error saying: Logon failed for NT AUTHORITY\\ANONYMOUS user.
我收到一条错误消息: Logon failed for NT AUTHORITY\\ANONYMOUS user.
IIS and MSSQL services are currently running under the system account on all of the servers but I do have a functional ID "EUR\\ldntech1" that I can use if necessary. IIS和MSSQL服务当前正在所有服务器上的系统帐户下运行,但是我确实具有功能ID“ EUR \\ ldntech1”,如有必要,可以使用该功能。
I understand that this is the double hop issue and I need to use SPN's which before today I'd never heard of and I am very confused by the syntax of how to add them and if I need one only for the webservice or if I need to add one for every MSSQL server I wish to connect to. 我知道这是双跳问题,我需要使用SPN,在今天之前我从未听说过。我对如何添加它们的语法感到困惑,并且如果我仅需要一个Web服务或者是否需要为每个我想连接的MSSQL服务器添加一个。
My website is hosted on the alias fiportal.domain.net and actual server name is ldn55spr.domain.net 我的网站托管在别名fiportal.domain.net上,实际服务器名称为ldn55spr.domain.net
Any help would be really greatly appreciated. 任何帮助将不胜感激。
Thanks 谢谢
What you are trying to do is called Constrained Delegation. 您尝试做的事情称为约束委派。 That should help you in your google searches. 那应该可以帮助您进行Google搜索。
You need to understand that the technology that's underlying all of this credential delegation is Kerberos. 您需要了解,所有此凭据委派的基础技术是Kerberos。 Service Principal Names (SPN) are a Kerberos thing. 服务主体名称(SPN)是Kerberos。
This blog post should help you setup your environment. 这篇博客文章应该帮助您设置环境。
This tool will help you ensure that your environment is correctly configured for Constrained Delegation. 该工具将帮助您确保为约束委派正确配置您的环境。
edit: although somewhat dated, this should give you some background - though you did say that you understand the double-hop problem 编辑:虽然有些过时, 但这应该给您一些背景-尽管您确实说过您了解双重跳跃问题
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.