we have a system where they client wants integrated Windows authentication. This is an ASP.NET 3.5 application, connecting to Sql Server 2005. The web server is Server 2003 R2 SP2. The db server is Server 2003 SP2 (not R2).
我们有一个系统,客户希望集成Windows身份验证。这是一个连接到Sql Server 2005的ASP.NET 3.5应用程序.Web服务器是Server 2003 R2 SP2。数据库服务器是Server 2003 SP2(而不是R2)。
In the db server, I ran the following script
在db服务器中,我运行了以下脚本
exec sp_grantlogin 'myDomain\myUserGroup'
USE myDbName
exec sp_grantdbaccess 'myDomain\myUserGroup'
I have 3 users in the Windows user group 'myDomain\myUserGroup' right now. All three users' accounts are marked as trusted for delegation. The web server account in ADs is marked trusted for delegation.
我现在在Windows用户组“myDomain \ myUserGroup”中有3个用户。所有三个用户的帐户都被标记为受信任以进行委派。 AD中的Web服务器帐户被标记为受信任以进行委派。
The web application is marked as using Windows authentication (all others turned off). The web.config has the following lines:
Web应用程序标记为使用Windows身份验证(所有其他关闭)。 web.config包含以下行:
<authentication mode="Windows" ></authentication>
<identity impersonate="true" />
<authorization>
<deny users="?"/>
</authorization>
Yet when i try to connect to the web application with a user which is in the user group, i get the error:
然而,当我尝试使用用户组中的用户连接到Web应用程序时,我收到错误:
System.Data.SqlClient.SqlException:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
My connection string is being built from a Sql ConnectionStringBuilder constructed as such:
我的连接字符串是从构造如下的Sql ConnectionStringBuilder构建的:
ConnectionStringBuilder.DataSource = "MYDBSERVER"
ConnectionStringBuilder.InitialCatalog = "MYDBCATALOG"
ConnectionStringBuilder.IntegratedSecurity = True
If i HARD CODE one of the allowed accounts to impersonate on the web.config <identity /> line it works. But if i take off the hard coded account and try to pass the identity from the client's machine. I get the error.
如果我硬编码允许在web.config
So it seems that i don't have something configured correctly for the multi-hop integrated login scenario, but i can't figure out what.
所以我似乎没有为多跳集成登录方案正确配置的东西,但我无法弄清楚是什么。
Thanks in advance!
提前致谢!
2 个解决方案
#1
If you're using Windows authentication then Impersonation doesn't flow past the ASP.NET process itself. You have two options here - swap to Basic Authentication, where Identity flows or, if you're running on Win2003 or later, you can use Kerberos and some hackery to impersonate when you connect
如果您使用的是Windows身份验证,则Impersonation不会流经ASP.NET进程本身。这里有两个选项 - 交换到基本身份验证,其中标识流,或者,如果您在Win2003或更高版本上运行,您可以使用Kerberos和一些hackery模拟连接时
#2
The ASP machine has authenticated the user connecting to IIS via NTLM/Kerberos. The authentication is guaranteed by the domain controller that has asked the original user process (IE) to present a secret that guarantees his identity: his password he typed when he logged into the box. The authentication is actually not done by the processes involved, but by the Local Security Authority (LSA, aka. lsass.exe) on each machine involved. Because the LSA on the ASP machine knows that the authentication is OK, it will allow an impersonation of the remote user to access anything it has the rights to access under the control of the said LSA (in other words, everything on the local ASP machine).
ASP机器已通过NTLM / Kerberos验证连接到IIS的用户。域控制器保证身份验证,该域控制器要求原始用户进程(IE)提供保证其身份的秘密:他登录框时键入的密码。实际上,身份验证不是由所涉及的进程完成的,而是由所涉及的每台计算机上的本地安全机构(LSA,也称为lsass.exe)完成的。因为ASP机器上的LSA知道认证是正常的,它将允许模拟远程用户访问它在所述LSA的控制下有权访问的任何东西(换句话说,本地ASP机器上的所有内容) )。
As soon as the ASP process that impersonates the user makes another hop to a new machine, it has left the realm controlled by the LSA on the ASP machine. The LSA on the SQL machine has no reason to trust the LSA on the ASP machine. So it ask it to present a proof that it is who it claims it is (the impersonated user). The ASP machine unfortunately cannot present such a proof, since it does not has the user secret (its password).
一旦模仿用户的ASP进程再次跳转到新机器,它就会在ASP机器上离开由LSA控制的领域。 SQL机器上的LSA没有理由信任ASP机器上的LSA。所以它要求它提供一个证据,证明它是谁(模仿用户)。遗憾的是,ASP机器不能提供这样的证明,因为它没有用户密码(密码)。
The work around is something called 'constrained delegation'. Through constrained delegation the domain controller intervenes in the negotiation between the SQL's machine LSA and the ASP machine LSA and says 'the ASP machine is OK, I vouch for him'. So the SQL's machine LSA trust the authentication and authenticate the original, impersonated user.
解决方法是称为“约束委托”。通过约束委托,域控制器介入SQL的机器LSA和ASP机器LSA之间的协商,并说'ASP机器没问题,我保证他'。因此,SQL的机器LSA信任身份验证并对原始的模拟用户进行身份验证。
The technical details how to set up constrained delegation are described in How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
有关如何设置约束委派的技术详细信息,请参阅如何:在ASP.NET 2.0中使用协议转换和约束委派
Note that this is true anytime a 'double hop' and impersonation is involved, no matter the type of resources involved (can be a SQL server, can be a file share, can be a new back end ASP service).
请注意,无论涉及哪种资源类型(可以是SQL服务器,可以是文件共享,都可以是新的后端ASP服务),只要涉及“双跳”和模拟,这都是正确的。
#1
If you're using Windows authentication then Impersonation doesn't flow past the ASP.NET process itself. You have two options here - swap to Basic Authentication, where Identity flows or, if you're running on Win2003 or later, you can use Kerberos and some hackery to impersonate when you connect
如果您使用的是Windows身份验证,则Impersonation不会流经ASP.NET进程本身。这里有两个选项 - 交换到基本身份验证,其中标识流,或者,如果您在Win2003或更高版本上运行,您可以使用Kerberos和一些hackery模拟连接时
#2
The ASP machine has authenticated the user connecting to IIS via NTLM/Kerberos. The authentication is guaranteed by the domain controller that has asked the original user process (IE) to present a secret that guarantees his identity: his password he typed when he logged into the box. The authentication is actually not done by the processes involved, but by the Local Security Authority (LSA, aka. lsass.exe) on each machine involved. Because the LSA on the ASP machine knows that the authentication is OK, it will allow an impersonation of the remote user to access anything it has the rights to access under the control of the said LSA (in other words, everything on the local ASP machine).
ASP机器已通过NTLM / Kerberos验证连接到IIS的用户。域控制器保证身份验证,该域控制器要求原始用户进程(IE)提供保证其身份的秘密:他登录框时键入的密码。实际上,身份验证不是由所涉及的进程完成的,而是由所涉及的每台计算机上的本地安全机构(LSA,也称为lsass.exe)完成的。因为ASP机器上的LSA知道认证是正常的,它将允许模拟远程用户访问它在所述LSA的控制下有权访问的任何东西(换句话说,本地ASP机器上的所有内容) )。
As soon as the ASP process that impersonates the user makes another hop to a new machine, it has left the realm controlled by the LSA on the ASP machine. The LSA on the SQL machine has no reason to trust the LSA on the ASP machine. So it ask it to present a proof that it is who it claims it is (the impersonated user). The ASP machine unfortunately cannot present such a proof, since it does not has the user secret (its password).
一旦模仿用户的ASP进程再次跳转到新机器,它就会在ASP机器上离开由LSA控制的领域。 SQL机器上的LSA没有理由信任ASP机器上的LSA。所以它要求它提供一个证据,证明它是谁(模仿用户)。遗憾的是,ASP机器不能提供这样的证明,因为它没有用户密码(密码)。
The work around is something called 'constrained delegation'. Through constrained delegation the domain controller intervenes in the negotiation between the SQL's machine LSA and the ASP machine LSA and says 'the ASP machine is OK, I vouch for him'. So the SQL's machine LSA trust the authentication and authenticate the original, impersonated user.
解决方法是称为“约束委托”。通过约束委托,域控制器介入SQL的机器LSA和ASP机器LSA之间的协商,并说'ASP机器没问题,我保证他'。因此,SQL的机器LSA信任身份验证并对原始的模拟用户进行身份验证。
The technical details how to set up constrained delegation are described in How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
有关如何设置约束委派的技术详细信息,请参阅如何:在ASP.NET 2.0中使用协议转换和约束委派
Note that this is true anytime a 'double hop' and impersonation is involved, no matter the type of resources involved (can be a SQL server, can be a file share, can be a new back end ASP service).
请注意,无论涉及哪种资源类型(可以是SQL服务器,可以是文件共享,都可以是新的后端ASP服务),只要涉及“双跳”和模拟,这都是正确的。