asp.net通过kerberos将Windows身份验证集成到sql服务器

发布于 2024-07-30 10:35:49 字数 995 浏览 7 评论 0原文

请问有人可以提供一种简单、直接的方法来启用 ASP.NET > Kerberos > SQL服务器?

我们有 clientMachine > 网络服务器> 数据库服务器。 客户端坚持要求站点必须拉取 Windows 登录名而不是提示,因此需要 Kerberos 和集成身份验证。 它还必须将用户模拟到数据库服务器,从而引发双跳。

我们的域是 Windows 2003 域,据我在网上所知,这意味着 Kerberos 已启用。 在加入域的计算机上,登录后,kerbtray 会显示我有大量票证,因此它显然正在工作。

AD 中的 Web 和数据库服务器计算机帐户都是“受信任的委派”。
必须访问系统的 AD 用户帐户都是“受信任的委派”。
当一切正常后,我将添加更多用户,目前是两个。

Sql Server 实例在数据库服务器上的 LocalSystem 下运行,据我在线所知,这意味着它根本不需要弄乱那些 SPN 的东西。

然而,当我尝试使用任一用户登录时,我收到

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. 

指示双跳失败。 事实上,在数据库服务器上的应用程序日志中,有大量来自“MSSQL”的条目表示同样的事情,这一事​​实进一步推动了这一点。

我真的不敢相信这有多难...我的意思是,IIS、SQL 和 Windows 都是微软的,他们就不能说得更好吗???

总之,我有

  • 一个 kerberos 域,
  • 数据库和 Web 服务器均受信任委托
  • 受委托的用户
  • AD 组中的用户
  • AD 组作为 sql 中的登录名(以及 db 中的用户)
  • IIS,匿名关闭、集成打开、基本和摘要关闭
  • 启用集成的 IE

Please, can someone PLEASE give a simple, straight-forward way to enable ASP.NET > Kerberos > Sql Server?

We have clientMachine > webServer > databaseServer. The client is insistent that the site must pull the windows login and not prompt, hence the need for Kerberos and Integrated Authentication. It also MUST impersonate the user onto the db server, inducing a double-hop.

Our domain is a Windows 2003 domain, which as far as I can tell online, means Kerberos is enabled. And on a domain-joined computer,when logged in, kerbtray shows me I have a slew of tickets, so it is apparently working.

The web and database server computer accounts in AD are both "trusted for delegation".
The AD user accounts which must access the system are both "trusted for delegation".
When it is all working, I will add more users, for now two is it.

The Sql Server instance is running under LocalSystem on the database server, which as near as i can tell online, means it does NOT require messing with those SPN things at all.

Yet, when i try to log in with either user, i get

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. 

indicating a double-hop failure. This is furthered by the fact that in the application log on the db server there are a slew of entries from "MSSQL" saying the same thing.

I really can't believe how hard this is... i mean, IIS, SQL and Windows are all Microsoft, can't they talk better???

So in summary, i have

  • a kerberos domain,
  • db and web server both trusted for delegation
  • users trusted for delegation
  • users in a AD group
  • AD group as a login in sql (and user in db)
  • IIS with Anonymous off, Integrated on, Basic and Digest off
  • IE with Enable Integrated on

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

从﹋此江山别 2024-08-06 10:35:49

下载Kerberos 委派问题排查。 它是一个救星。
在第 17 页,您将找到Active Directory 清单。 逐步按照检查表进行操作。
在第 30 页,您将找到客户申请清单。 逐步验证清单。
第 35 页是中层清单。 一步步验证。
第 48 页是后端检查表。 一步步验证一下。

如果您仍然遇到问题,该文档包含故障排除工具的详细列表(kerbtray、klist、ldifde 等)、如何在系统事件日志中启用日志记录和审核身份验证错误的详细说明、对所有错误代码的详细说明来自身份验证审核的事件日志条目等等。

一旦弄清楚出了什么问题,修复就会容易得多。

Download the Troubleshooting Kerberos Delegation. Its a life saver.
At page 17 you'll find the Active Directory Checklist. Follow the checklist step by step.
At page 30 you'll find the Client Application Checklist. Verify the checklist step by step.
At page 35 is the Middle Tier Checklist. Verify it step by step.
At page 48 is the Back End Checklist. Verify it step by step.

If you still have problems, the document contains a detailed list of troubleshooting tools (kerbtray, klist, ldifde etc), detailed explanation on how to enable logging and auditing of authentication errors in the system event log, detailed explanation of all error codes in the event log entries from the authentication audit and so on and so forth.

Once you figure out what is wrong, it will be much easier to fix.

空城仅有旧梦在 2024-08-06 10:35:49

答案最终确实在于 SPN。

该系统是在我们的测试站点 test.ourcompany.com 上设置的,因此我需要添加一个新的 SPN 作为该参考。 因此,除了以下内容:

HTTP/server 
HTTP/server.ourdomain.com

我还需要添加一个额外的内容:

HTTP/test.ourcompany.com

天哪,真是一场战斗! 至少已经结束了! :)
感谢各位的帮助!

The answer ultimately DID lie in the SPNs.

This system was set up on our test site, which is test.ourcompany.com, so i needed to add a new SPN for that reference. So in addition to the following:

HTTP/server 
HTTP/server.ourdomain.com

I also needed to add an additional one for:

HTTP/test.ourcompany.com

Geez, what a battle! At least it's over! :)
Thanks for the help guys!

自在安然 2024-08-06 10:35:49

您所描述的内容应该没有问题。

您的连接字符串应如下所示:

<add name="IntegratedAuthConnectionString" connectionString=
 "Data Source=DATABASEINSTANCE;Integrated Security=True"
 providerName="System.Data.SqlClient"/>

您的 web.config 还应指定 Windows 身份验证

<authentication mode="Windows"/>

创建一个测试页面,转储 Request.ServerVariables 集合中的所有内容,并确保您看到经过身份验证的用户名和域。 类似于下面的代码

foreach (string s in Request.ServerVariables)
{
    Response.Write(s + ": " + Request.ServerVariables[s] + "<br />");
}

What you are describing should work without issue.

Your connection string should look like:

<add name="IntegratedAuthConnectionString" connectionString=
 "Data Source=DATABASEINSTANCE;Integrated Security=True"
 providerName="System.Data.SqlClient"/>

Your web.config should also specify windows authentication

<authentication mode="Windows"/>

Create a test page which dumps everything from the Request.ServerVariables collection and ensure that you are seeing the authenticated username and domain. Something along the lines of the code below

foreach (string s in Request.ServerVariables)
{
    Response.Write(s + ": " + Request.ServerVariables[s] + "<br />");
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文