问题描述
我们最近发布了最新版本的Intranet应用程序,该应用程序现在以Windows身份验证为标准,并且需要能够使用最终用户的域凭据连接到已配置的SQL Server.
We've recently released the latest version of our intranet application, which now uses windows authentication as standard, and needs to be able to connect to a configured SQL server with the end-user's domain credentials.
最近我们发现,在几个客户部署中,尽管IIS可以看到用户的域凭据,但它不会将这些凭据传递给SQL Server.相反,它似乎使用了匿名帐户.尽管执行了所有正确步骤(将目录安全性更改为Win Auth,更新Web.Config以使用Win Auth并拒绝匿名用户),这仍然是正确的.
Lately we've found that on a couple of customer deployments, although IIS can see the user's domain credentials, it will not pass these on to SQL server. Instead, it seems to use the anonymous account. This is in spite of following all the correct steps (changing the directory security to Win Auth, updating Web.Config to use Win Auth and denying anonymous users).
我已经读了很多书,表明我们需要确保Kerberos已经到位,但是我不确定(a)这是多么有效(即,这确实是一项要求吗?)或(b )如何进行调查,或者如何进行调查.
I've been doing a lot of reading that suggests we need to make sure that Kerberos is in place, but I'm not sure (a) how valid this is (i.e. is it really a requirement?) or (b) how to go about investigating if it's set up or how to go about setting it up.
在这种情况下,我们需要能够配置IIS或应用程序以使其适合客户,或者向客户确切说明他们需要做什么才能使其正常工作.
We're in a situation where we need to be able to either configure IIS or the application to work for the customer, or explain to the customer exactly what they need to do to get it working.
我们已经使用测试SQL服务器和开发人员的IIS盒在我们的内部网络上重现了这一点,因此我们将弄乱这一设置,看看是否可以提出解决方案,但是如果任何人都有任何聪明的主意,我会很高兴听到他们的想法!
We've managed to reproduce this on our internal network with a test SQL server and a developer's IIS box, so we're going to mess around with this set up and see if we can come up with a solution, but if anyone has any bright ideas, I'd be most happy to hear them!
我特别想听听人们对Kerberos的看法或建议.这是一项要求吗?如果是,我该如何向客户概述应如何配置?
I'd especially like to hear people's thoughts or advice in terms of Kerberos. Is this a requirement, and if it is, how do I outline to customers how it should be configured?
哦,我也看到一些人提到了针对域和传递Windows凭据的经典单跳规则",但是我不知道这实际上占了多少权重?
Oh, and I've also seen a couple of people mention the 'classic one-hop rule' for domains and passing windows credentials around, but I don't know how much weight this actually holds?
谢谢!
马特
推荐答案
这称为双跳问题,并禁止将用户的凭据转发给第三方.当他们从一台计算机浏览另一台站点(第一跳)并将凭据转发到第三台计算机(第二跳)时,就会发生这种情况.
This is called the Double-Hop Problem and prohibits the forwarding of user's credentials to third parties. This occurs when they browse from one machine, against a site on another (first hop), and forwarding the credentials to a third machine (second hop).
如果您将IIS和SQL Server托管在同一台计算机上,则不会出现该问题.
The problem will not appear if you host IIS and SQL Server on the same machine.
在如何在ASP.NET中使用System.DirectoryServices命名空间的上,有许多更多的技术详细信息,它解释了双跳问题以及主要令牌和辅助令牌.
There's alot more technical details published on this at How to use the System.DirectoryServices namespace in ASP.NET, which explains the double-hop issue, and primary and secondary tokens.
这篇关于如何配置IIS,以便在连接到SQL Server时使用用户的域凭据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!