[英]SSPI sql access fails in remote powershell request due to double-hop failure, constrained delegation
我们正在尝试从远程服务器B上的serverA运行自动安装,该安装需要使用Windows身份验证与sql serverC进行通信。
Invoke-Command -ComputerName serverB -ScriptBlock {
$conn = new-object System.Data.SqlClient.SqlConnection 'Data Source=ServerC;Initial Catalog=master;Integrated Security=SSPI'
try
{
$conn.open()
} finally {
$conn | Remove-SQLConnection
}
} -Credential $cred
但是,它无法返回:
”使用参数“ 0”调用“ Open”的异常:“用户'NT AUTHORITY \\ ANONYMOUS LOGON'登录失败。”
我们使用以下方法解决了此问题:
Invoke-Command -ComputerName serverB -ScriptBlock { Register-PSSessionConfiguration -Name Ipswitch -RunAsCredential $using:cred -Force } -Credential $cred
但是我们更喜欢使用受约束的kerberos委托:
我们尝试使用以下步骤执行kerberos委派:
##########################
#run on serverC
##########################
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
$serverB = Get-ADComputer serverB
$serverC = Get-ADComputer serverC
# Grant resource-based Kerberos constrained delegation
Set-ADComputer -Identity $serverC -PrincipalsAllowedToDelegateToAccount $serverB
# Check the value of the attribute directly
$x = Get-ADComputer -Identity $serverC -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
$x.'msDS-AllowedToActOnBehalfOfOtherIdentity'.Access
# Check the value of the attribute indirectly
Get-ADComputer -Identity $serverC -Properties PrincipalsAllowedToDelegateToAccount
# purge kerberose cache
Invoke-Command -ComputerName $serverB.Name -Credential $cred -ScriptBlock {
klist purge -li 0x3e7
}
完成之后,这两个测试通过:
Invoke-Command -ComputerName serverB -ScriptBlock {
Invoke-Command -ComputerName serverC -ScriptBlock {'hello world'} -Credential $using:cred
} -Credential $cred
Invoke-Command -ComputerName serverB -ScriptBlock {
Copy-Item '\\serverC\c$\file'
} -Credential $cred
但是,sql命令仍然失败,并且我们无法找到解决方案。
我们在github上发现了相同的问题,看起来似乎相同,但没有答案: https : //github.com/PowerShell/PowerShell/issues/9331
确保使用SetSPN –A MSSQLSvc / .: 1433为SQL服务帐户注册SPN。
ASP.NET 4中的双跳模拟,协议转换和约束委派
[英]Double Hop Impersonation, Protocol Transitioning and Constrained Delegation in ASP.NET 4
避免从客户端> Web服务> SQL Server双跳的解决方案
[英]Solution to avoid double-hop from client > web service > SQL Server
从IIS到SQL服务器的Kerberos双跃点委派(使用django)
[英]Kerberos Double Hop Delegation from IIS to SQL server (using django)
从网络共享文件夹导入时绕过 SQL BULK INSERT 语句访问/双跳问题的方法?
[英]A way to bypass SQL BULK INSERT statement access / double hop issue when importing from network shared folder?
每隔一个 SQL 由于 Kubernetes 上的访问被拒绝,服务器部署失败
[英]Every other SQL Server deployment fails due to access denied on Kubernetes
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.