堆栈内存溢出
  简体   繁体   English

Kerberos委派失败给来自受信任域的用户

[英]Kerberos Delegation Failed for Users from a trusted domain

 原文  2012-08-31 22:40:57       iis/ dns/ kerberos/ delegation/ trusted

问题描述

I have successfully setup the Kerberos Delegation between a ASP.Net web site and a SQL Server. 我已经成功在ASP.Net网站和SQL Server之间设置了Kerberos委派。 All the users in the same domain of the IIS application pool account and SQL Server service account can be delegated from the web site to SQL server. 可以将IIS应用程序池帐户和SQL Server服务帐户的同一域中的所有用户从网站委派给SQL Server。 Now we have users from a two-way trusted domain try to use the web site, and the following error occurred at the SQL Server side: "Login failed for user 'NT AUTHORITY\\ANONYMOUS LOGON'. It means the delegation has failed. 现在,我们有一个来自双向信任域的用户尝试使用该网站,并且在SQL Server端发生了以下错误:“用户'NT AUTHORITY \\ ANONYMOUS LOGON'的登录失败。这意味着委派失败。

The web site is IIS 6 on Windows 2003. 该网站是Windows 2003上的IIS 6。

I checked the user from the trusted domain, and the "userAccountControl" is 512 so delegation is not blocked. 我从受信任的域中检查了用户,并且“ userAccountControl”为512,因此不会阻止委派。 In the user IE browser settings, I can the "Local Intranet" has been configured right. 在用户IE浏览器设置中,我可以对“本地Intranet”进行正确配置。

Can someone tell me how I can troubleshoot this issue? 有人可以告诉我如何解决此问题吗?

Thanks! 谢谢!

Richard 理查德

1 个解决方案

解决方案1
 0  2012-09-24 21:28:44

Maybe this helps you: http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/c43260a9-6791-4572-a7f2-1547467d89bb/ 也许这对您有帮助: http : //social.technet.microsoft.com/Forums/zh-CN/sharepoint2010setup/thread/c43260a9-6791-4572-a7f2-1547467d89bb/

Here's the quote (written by SenthilSK) 这是报价(由SenthilSK撰写)

The Kerberos protocol supports two kinds of delegation, basic (unconstrained) and constrained. Kerberos协议支持两种委托,基本委托(不受约束)和约束委托。 Basic Kerberos delegation can cross domain boundaries in a single forest, but cannot cross a forest boundary regardless of trust relationship. 基本Kerberos委派可以跨越单个林中的域边界,但是无论信任关系如何都不能跨越林边界。 Kerberos constrained delegation cannot cross domain or forest boundaries in any scenario. Kerberos约束委派在任何情况下都不能跨越域或林边界。 For more details about KCD configuration for your scenario , i could suggest to refer the white paper on Kerberos http://www.microsoft.com/download/en/details.aspx?id=23176 有关针对您的方案的KCD配置的更多详细信息,我建议您参考Kerberos上的白皮书http://www.microsoft.com/download/en/details.aspx?id=23176

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从IIS到SQL服务器的Kerberos双跃点委派(使用django) - Kerberos Double Hop Delegation from IIS to SQL server (using django) 客户端的Kerberos委派会覆盖防火墙 - Kerberos Delegation for Clients Ouside the Firewall 如何从域控制器获取Kerberos凭据 - How to get Kerberos credential from domain controller IIS委派以Kerberos访问网络资源 - IIS delegation to access network resources with Kerberos WCF kerberos委派同一台机器上的服务 - WCF kerberos delegation to services on the same machine 约束委派(Kerberos)仅在本地主机上工作 - Constrained delegation (Kerberos) only working using localhost IIS:对不在域中的客户端计算机使用Kerberos - IIS: Using Kerberos with client computers that are not on the domain 带有外部域密钥表的IIS中的SPNEGO / Kerberos - SPNEGO/Kerberos in IIS with foreign domain keytab 某些用户从其他域的IIS Windows身份验证登录失败 - Login fails for some users IIS Windows Authentication from other domain web.config 允许来自特定域的所有用户,但不允许来自另一个域 - web.config allow all users from a specific domain, but not another
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM