IIS7 中的 SQL Server 和 Windows 身份验证
我正在尝试使用 SQL Server 和 Windows 身份验证在 Vista (IIS7) 上运行 ASP.NET 网站。无论我做什么,当我连接到数据库时,都会遇到异常:
SqlException was unhandled
Login failed for user 'MyDomain\MachineName$'.
应用什么设置似乎并不重要,我无法让 IIS7 通过我的 Windows 登录凭据。
额外详细信息:
- SQL Server 和我的本地计算机都位于 ActiveDirectory
- Vista Enterprise、IIS7
- SQL Server 2005
- 禁用匿名身份验证,启用 Windows 身份验证 模拟
- 开/关没有区别
- 所有身份(网络服务、本地系统等)给出相同的结果
- 经典和集成管道给出相同的结果
帮助!
I'm trying to get an ASP.NET website running on Vista (IIS7), using SQL Server and Windows Authentication. No matter what I do, when I connect to the database, I get the exception:
SqlException was unhandled
Login failed for user 'MyDomain\MachineName
It doesn't seem to matter what settings I apply, I cannot get IIS7 to pass through my Windows login credentials.
Extra details:
- Both the SQL Server and my local machine are on ActiveDirectory
- Vista Enterprise, IIS7
- SQL Server 2005
- Anonymous Authentication disabled, Windows Authentication enabled
- Impersonation on/off makes no difference
- All Identities (NetworkService, LocalSystem, etc) give the same result
- Classic and integrated pipelines give the same result
Help!
.It doesn't seem to matter what settings I apply, I cannot get IIS7 to pass through my Windows login credentials.
Extra details:
- Both the SQL Server and my local machine are on ActiveDirectory
- Vista Enterprise, IIS7
- SQL Server 2005
- Anonymous Authentication disabled, Windows Authentication enabled
- Impersonation on/off makes no difference
- All Identities (NetworkService, LocalSystem, etc) give the same result
- Classic and integrated pipelines give the same result
Help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果配置正确,模拟开/关会产生很大的不同。您想要的称为“约束委派”,并且需要为其配置 IIS 和 ASP:
Impersonation on/off makes all the difference, when properly configured. What you want is caled 'constrained delegation' and you need to configure IIS and ASP for it:
默认情况下,不允许 IIS 服务器
模拟您访问 SQL Server。有一篇关于如何配置它的 MSDN 文章。配置过程复杂且容易出错。如果您的生产 ISS 和 SQL Server 在不同的服务器上运行,您将需要域管理员来配置两个服务器之间的模拟信任。这在大型组织中通常是不允许的。
除了不由普通管理员部署之外,模拟还可以阻止用户共享 SQL 连接池中的连接。即使对于小型(5 个以上用户)网站,这也会导致非常明显的性能损失。
By default, the IIS server is not allowed to
impersonateyou towards the SQL Server. There's an MSDN article on how to configure it. The configuration process is complex and error prone.If your production ISS and SQL Server run on different servers, you'll need a domain admin to configure impersonation trust between the two servers. This is typically a no-go in a big organization.
In addition to not being deployed by normal admins, impersonation also prevents users from sharing their connections in the SQL connection pool. This results in a very noticeable performance penalty for even small (5+ users) websites.
您是否尝试为您的应用程序创建一个新的用户帐户,授予它在 Sql Server 上的适当权限,然后将应用程序池设置为在此新帐户下运行?
这是我经常做的事情,而且很有效。我没有在 NetworkService、LocalSystem 或其他内置帐户下运行我的应用程序。
Did you try to create a new user account for your application, grant it the appropriate rights on the Sql Server, and then set the application pool to run under this new account?
This is what I usually do, and it works. I'm not running my application under NetworkService, LocalSystem or other builtin accounts.
您的连接字符串是否包含
Integrated Security=SSPI?您是否也将 asp.net 上下文切换为域用户?
这是关于此主题的 MSDN 文章
http://msdn.microsoft.com/ en-us/library/2xzyzb0f.aspx
Does your connection string contain
Integrated Security=SSPI?Have you switched the asp.net context to be a domain user as well?
Here is an MSDN article on this topic
http://msdn.microsoft.com/en-us/library/2xzyzb0f.aspx