I've written a simple ASP.NET application that works as a frontend for a simple MSSQL database. The application is accessible over the Internet.
我编写了一个简单的ASP.NET应用程序,它可以作为简单的MSSQL数据库的前端。该应用程序可通过Internet访问。
There are two physical servers involved: a WS2008R2 Active Directory domain controller which is also running MSQL Server 2008 R2, and another server, the webserver (WS2008R2/IIS7.5) where my application resides.
涉及两个物理服务器:一个运行MSQL Server 2008 R2的WS2008R2 Active Directory域控制器,另一个服务器,即我的应用程序所在的Web服务器(WS2008R2 / IIS7.5)。
The Application Pool for my application "FooPool" has its own AD User identity it runs under "FooUser". FooUser does not have any permission to access the SQL Server database, instead only my own personal user account "MyUser" has that permission.
我的应用程序“FooPool”的应用程序池有自己的AD用户标识,它在“FooUser”下运行。 FooUser没有访问SQL Server数据库的任何权限,而只有我自己的个人用户帐户“MyUser”具有该权限。
The idea is that attempts to access this web application first perform Windows Authentication with IIS, my web application then uses Impersonation to access the SQL Server database.
想法是尝试访问此Web应用程序首先使用IIS执行Windows身份验证,然后我的Web应用程序使用模拟来访问SQL Server数据库。
However my application does not work.
但是我的申请不起作用。
I tested the application without it touching SQL Server, just to test impersonation, so I did Response.Write( WindowsIdentity.GetCurrent(false).Name ); which correctly shows the application impersonating MyUser and not acting as FooUser. This works from all modern browsers and across the Internet.
我测试了应用程序而没有触及SQL Server,只是为了测试模拟,所以我做了Response.Write(WindowsIdentity.GetCurrent(false).Name);这正确地显示了模仿MyUser的应用程序,而不是充当FooUser。这适用于所有现代浏览器和Internet。
But as soon as it touches MSSQL Server I get the error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." but that should not be happening because no user tokens are for Anonymous Logon.
但是一旦触及MSSQL Server,我就会收到错误“登录失败的用户'NT AUTHORITY \ ANONYMOUS LOGON'。”但这不应该发生,因为匿名登录没有用户令牌。
I've done my homework and read all about Delegation and Impersonation in ASP.NET and I have set up delegation: The FooUser account has a Service Principal Name set-up (I set the SPN to an arbitrary string, is that doing it right?) and is marked for delegation in ADUC.
我已经完成了我的作业并阅读了有关ASP.NET中的委派和模拟的所有内容,并且我已经设置了委托:FooUser帐户有一个服务主体名称设置(我将SPN设置为任意字符串,这样做是正确的?)并在ADUC中标记为授权。
Finally, my connection string has SSPI enabled, Connection pooling disabled, and the network library set to "dbmssocn".
最后,我的连接字符串启用了SSPI,禁用了连接池,并且网络库设置为“dbmssocn”。
What else am I forgetting?
还有什么我忘了?
1 个解决方案
#1
2
Finishing the Configuration for Delegation to Work you must enable constrained delegation:
完成委派工作的配置必须启用约束委派:
- Open Active Directory Users and Computers
- 打开Active Directory用户和计算机
- Find the user account that the IIS Web site is using for the web application pool and double-click it
- 找到IIS网站用于Web应用程序池的用户帐户,然后双击它
- Select the option: Trust this user for delegation to specified
services only. - 选择选项:信任此用户以仅委派指定的服务。
- Make sure that the user is constrained to the SPN associated with the MSSQLSvc service
- 确保用户受限于与MSSQLSvc服务关联的SPN
- Restart IIS
- 重启IIS
http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx
http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx
#1
2
Finishing the Configuration for Delegation to Work you must enable constrained delegation:
完成委派工作的配置必须启用约束委派:
- Open Active Directory Users and Computers
- 打开Active Directory用户和计算机
- Find the user account that the IIS Web site is using for the web application pool and double-click it
- 找到IIS网站用于Web应用程序池的用户帐户,然后双击它
- Select the option: Trust this user for delegation to specified
services only. - 选择选项:信任此用户以仅委派指定的服务。
- Make sure that the user is constrained to the SPN associated with the MSSQLSvc service
- 确保用户受限于与MSSQLSvc服务关联的SPN
- Restart IIS
- 重启IIS
http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx
http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx