如何让 ASPNET 被 SQL Server 2005 识别为可信连接
情况是这样的。 我正在开发一个新网站来访问旧数据库。 这是国防部的安装,因此有很多安全措施。
当前的应用程序是用经典的 ASP、VBScript 和一些 JavaScript 编写的。 新系统是ASP.NET。
在旧系统中访问数据库意味着使用您自己的凭据(域名\用户名)访问服务器。 现在我正在尝试测试我所做的一些早期开发。 当我使用 Cassini(在 VS2008 下)时,访问数据库没有遇到任何问题,因为 ourdomain\myusername 已在 SQL Server 实例中注册为可信连接。 由于我必须编写安全方面的内容,Cassini 不能再充当测试服务器 - 我必须使用 IIS(我们这里有安全读卡器)。 卡西尼号无法对付它们。
因此,当我解决了将适当的帐户添加到本地电脑上的管理员以便我可以在使用 IIS 时在 VS2008 中进行调试的所有问题时,我尝试连接到数据库,但被拒绝了,因为 MYPC\ASPNET 不是受信任的联系。
改变现有的数据库是不可能的。 用于访问数据库的硬编码用户名和密码是不可能的。
我询问 DBA 是否可以将 MYPC\ASPNET 添加到域组中,以便 SQL Server 可以将其视为可信连接(因为 MYDOMAIN\MYNAME 位于被视为可信连接的组中)。 他告诉我这在技术上是不可能的。
最后,将有三到四台机器(我的、另一台开发人员、最终的实时 Web 服务器和未来的测试 Web 服务器)的 ASPNET 帐户将访问我们的两个 SQL 服务器(实时和测试)。
我必须做什么才能让现有的 SQL 服务器将我视为朋友而不是敌人? 我查看了模拟,但我的印象是它与我们的系统不兼容 - 业务规则调用一个通用例程来创建一个 SqlConnection 对象并打开它(甚至可能是一个 SqlTransaction 对象)并且使用该对象其余的业务规则和数据访问层,直到完成。 一旦 SqlConnection 打开(并通过 ByRef 返回到调用例程),模拟似乎不会持续存在。
提前感谢您的任何建议。
Here's the situaiton. I'm working on developing a new website to access an old database. This is a DoD installation so there's lots of security around.
The current application is written in classic ASP, VBScript and some javascript. The new systems is ASP.NET.
Accessing the database in the old system meant hitting the server with your own credentials (domainname\username). Now I'm trying to test some of the early development I've done. When I used Cassini (under VS2008), I had no trouble getting to the database because ourdomain\myusername registered with the SQL Server instance as a trusted connection. Due to security aspects that I have to write, Cassini can't serve as a test server anymore - I have to use IIS (we have security card readers here). Cassini can't handle them.
So when I went through all the problems of getting the appropriate accounts added to Administrators on my local pc so that I could debug in VS2008 while using IIS, I tried to connect to the database and I was rejected because MYPC\ASPNET was not a trusted connection.
Altering the existing database is out of the question. Hard coding usernames and passwords for access to the database is out of the question.
I asked the DBA if he could add MYPC\ASPNET to of the domain groups so that SQL Server could see it as a trusted connection (since MYDOMAIN\MYNAME was in a group that was seen as a trusted connection). He tells me that is not technically possible.
In the end there are going to be three or four machines (mine, another developer, the eventual live web server and a future test web server) who's ASPNET accounts are going to be hitting our two SQL servers (live and test).
What do I have to do to make the existing SQL server see me as Friend and not Foe? I looked at impersonation but I get the impression it's not compatible with our system - the business rules make a call to a common routine to create a SqlConnection object and open it (maybe even a SqlTransaction object to go with it) and this object is used for the rest of the business rules and data-access layer until it's done. It didn't look like impersonation would persist once the SqlConnection was opened (and passed, ByRef back to the calling routine)
Thanks in advance for any advice.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您有两个选择:
You have two options:
使用模拟
Use Impersonation
正如已经建议的那样,您应该使用模拟。
但是,如果您的 SQL Server 与 Web 服务器运行在不同的计算机上,则模拟是不够的,因为用户的凭据不会委派给 SQL Server(服务器跃点)。 在这种情况下,您必须在 AD 中启用委派,或者在 SQL Server 上创建一个非 Windows 登录名并使用它(如果您的 SQL Server 实际上使用 Windows 登录名来控制表等的访问控制,这将不起作用) 。
As has already been suggested you should use impersonation.
However if your SQL Server is running on a different machine than your web server then impersonation will not suffice as the credentials of the user will not be delegated to the SQL Server (server hop). In that case you will have to either enable delegation in the AD or create a non-Windows login on your SQL Server and use that instead (this will not work if your SQL Server actually uses the Windows login for access control to tables etc.).
听起来您想冒充正在访问您网站的客户,对吗? 您是否尝试过使用模拟或者您认为它不会起作用?
编辑
正如 Albert 指出的,模拟要求用户使用 Windows 身份验证进行身份验证。 您需要禁用匿名访问,并在 IIS 管理工具中启用 Windows 身份验证。
Sounds like you want to impersonate the client who is accessing your web site correct? Have you tried to use impersonation or are you assuming it won't work?
Edit
As Albert points out, impersonation requires the user to be authenticated using Windows authentication. You will want to disable Anonymous Access, and enable Windows Authentication in IIS Management tool.