防火墙之外的客户端的 Kerberos 委派
我正在尝试运行 SQL Server Reporting Services,其中报表数据位于不同服务器上的 SQL Server 数据库上。 报表服务器和报表的集成身份验证均已打开。 我通过使用 Internet Explorer 从网络内部运行报告来确认 Kerberos 委派工作正常。
但是,当我通过防火墙打开报表服务器时,无法运行报表。 我收到以下错误:报告处理期间发生错误。 无法创建与数据源“frattoxppro2”的连接。 用户“NT AUTHORITY\ANONYMOUS LOGON”登录失败。
Kerberos 身份验证在防火墙之外无法工作吗?
I am trying to run a SQL Server Reporting Services where the data for the report is on a SQL Server database that's on a different server. Integrated Authentication is turned on for both the Report Server and the report. I have confirmed that Kerberos delegation is working fine by using Internet Explorer to run the report from inside the network.
However, when I open the report server through the firewall, I cannot run the report. I get the following error: An error has occurred during report processing. Cannot create a connection to data source 'frattoxppro2'. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Does Kerberos authentication not work outside a firewall?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Kerberos 需要通过端口 88 连接到 KDC,在本例中,很可能是您的 DC。
您可能想要查看的是 HTTPS + 基本身份验证 + 协议转换,以获取基本身份验证并将其转换为基于 DC 的 Kerberos 票证,以进行委派和后端身份验证。
协议转换
约束委派技术
补充
如何:使用协议转换和
受限委派
ASP.NET
并不是最容易设置的,但是当它工作时,它的工作效果非常好。
Kerberos requires a port 88 connection to the KDC, in this case, most likely your DC.
What you probably want to look at is HTTPS + Basic Authentication + Protocol Transition to take the Basic Authentication and translate it into a DC based Kerberos Ticket for delegation and back end authentication.
Protocol Transition with
Constrained Delegation Technical
Supplement
How To: Use Protocol Transition and
Constrained Delegation in
ASP.NET
Not exactly the easiest to set up, but when its working, it works amazingly well.
我确实无法告诉您为什么 kerberos 不适合您,但确实对您的配置有替代建议。 您可以使用 ISA 服务来公开报告服务器,而不是简单地在防火墙上戳一个洞。 这是我们公司已经成功完成的事情 - 它重新发布报告服务站点,以便浏览器与 ISA 对话,而不是直接与服务器对话。 ISA Services 也非常乐意传递您的凭据。
I'm not really in a position to tell you why kerberos isn't working for you, but did have a alternative suggestion for your configuration. You can use ISA services to expose the reporting server rather than simply poking a hole in your firewall. This is something our company has done successfully - it republishes the reporting services site so the browsers are talking to ISA, not directly to the server. ISA Services is quite happy to pass through your credentials as well.