[英]Double Hop Impersonation, Protocol Transitioning and Constrained Delegation in ASP.NET 4
[英]SSPI sql access fails in remote powershell request due to double-hop failure, constrained delegation
我们正在尝试从远程服务器B上的serverA运行自动安装,该安装需要使用Windows身份验证与sql serverC进行通信。
Invoke-Command -ComputerName serverB -ScriptBlock {
$conn = new-object System.Data.SqlClient.SqlConnection 'Data Source=ServerC;Initial Catalog=master;Integrated Security=SSPI'
try
{
$conn.open()
} finally {
$conn | Remove-SQLConnection
}
} -Credential $cred
但是,它无法返回:
”使用参数“ 0”调用“ Open”的异常:“用户'NT AUTHORITY \\ ANONYMOUS LOGON'登录失败。”
我们使用以下方法解决了此问题:
Invoke-Command -ComputerName serverB -ScriptBlock { Register-PSSessionConfiguration -Name Ipswitch -RunAsCredential $using:cred -Force } -Credential $cred
但是我们更喜欢使用受约束的kerberos委托:
我们尝试使用以下步骤执行kerberos委派:
##########################
#run on serverC
##########################
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
$serverB = Get-ADComputer serverB
$serverC = Get-ADComputer serverC
# Grant resource-based Kerberos constrained delegation
Set-ADComputer -Identity $serverC -PrincipalsAllowedToDelegateToAccount $serverB
# Check the value of the attribute directly
$x = Get-ADComputer -Identity $serverC -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
$x.'msDS-AllowedToActOnBehalfOfOtherIdentity'.Access
# Check the value of the attribute indirectly
Get-ADComputer -Identity $serverC -Properties PrincipalsAllowedToDelegateToAccount
# purge kerberose cache
Invoke-Command -ComputerName $serverB.Name -Credential $cred -ScriptBlock {
klist purge -li 0x3e7
}
完成之后,这两个测试通过:
Invoke-Command -ComputerName serverB -ScriptBlock {
Invoke-Command -ComputerName serverC -ScriptBlock {'hello world'} -Credential $using:cred
} -Credential $cred
Invoke-Command -ComputerName serverB -ScriptBlock {
Copy-Item '\\serverC\c$\file'
} -Credential $cred
但是,sql命令仍然失败,并且我们无法找到解决方案。
我们在github上发现了相同的问题,看起来似乎相同,但没有答案: https : //github.com/PowerShell/PowerShell/issues/9331
确保使用SetSPN –A MSSQLSvc / .: 1433为SQL服务帐户注册SPN。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.