如何配置 IIS,以便在连接到 SQL Server 时使用用户的域凭据?

发布于 2024-09-29 19:01:12 字数 661 浏览 9 评论 0原文

我们最近发布了最新版本的 Intranet 应用程序,该应用程序现在使用 Windows 身份验证作为标准,并且需要能够使用最终用户的域凭据连接到已配置的 SQL 服务器。

最近我们发现,在一些客户部署中,尽管 IIS 可以看到用户的域凭据,但它不会将这些凭据传递到 SQL Server。相反,它似乎使用匿名帐户。尽管遵循了所有正确的步骤(将目录安全性更改为 Win Auth、更新 Web.Config 以使用 Win Auth 并拒绝匿名用户),情况还是如此。

我已经做了很多阅读,表明我们需要确保 Kerberos 就位,但我不确定(a)这有多有效(即这真的是一个要求吗?)或(b)如何着手调查它是否已设置或如何设置。

我们面临的情况是,我们需要能够配置 IIS 或应用程序以供客户使用,或者向客户准确解释他们需要做什么才能使其正常工作。

我们已经成功地通过一个测试 SQL 服务器和一个开发人员的 IIS 盒子在我们的内部网络上重现了这个问题,所以我们将搞乱这个设置,看看我们是否能想出一个解决方案,但如果有人有的话好主意,我很高兴听到它们!

我特别想听听人们对 Kerberos 的想法或建议。这是一个要求吗?如果是,我如何向客户概述应如何配置?

哦,我还看到有几个人提到了域的“经典一跳规则”并传递 Windows 凭据,但我不知道这实际上有多大影响?

谢谢!

马特

We've recently released the latest version of our intranet application, which now uses windows authentication as standard, and needs to be able to connect to a configured SQL server with the end-user's domain credentials.

Lately we've found that on a couple of customer deployments, although IIS can see the user's domain credentials, it will not pass these on to SQL server. Instead, it seems to use the anonymous account. This is in spite of following all the correct steps (changing the directory security to Win Auth, updating Web.Config to use Win Auth and denying anonymous users).

I've been doing a lot of reading that suggests we need to make sure that Kerberos is in place, but I'm not sure (a) how valid this is (i.e. is it really a requirement?) or (b) how to go about investigating if it's set up or how to go about setting it up.

We're in a situation where we need to be able to either configure IIS or the application to work for the customer, or explain to the customer exactly what they need to do to get it working.

We've managed to reproduce this on our internal network with a test SQL server and a developer's IIS box, so we're going to mess around with this set up and see if we can come up with a solution, but if anyone has any bright ideas, I'd be most happy to hear them!

I'd especially like to hear people's thoughts or advice in terms of Kerberos. Is this a requirement, and if it is, how do I outline to customers how it should be configured?

Oh, and I've also seen a couple of people mention the 'classic one-hop rule' for domains and passing windows credentials around, but I don't know how much weight this actually holds?

Thanks!

Matt

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

假面具 2024-10-06 19:01:12

This is called the Double-Hop Problem and prohibits the forwarding of user's credentials to third parties. This occurs when they browse from one machine, against a site on another (first hop), and forwarding the credentials to a third machine (second hop).

The problem will not appear if you host IIS and SQL Server on the same machine.

There's alot more technical details published on this at How to use the System.DirectoryServices namespace in ASP.NET, which explains the double-hop issue, and primary and secondary tokens.

江湖正好 2024-10-06 19:01:12

要在用户的 Active Directory 或 Windows 凭据下运行您的应用程序,请确保以下各项:

  • IIS 应用程序设置为不允许匿名访问
  • IIS 应用程序使用集成 Windows 身份验证
  • 您的连接字符串应具有 Integrated Security=SSPI 以确保用户的 Windows/AD 凭据传递到 SQL Server。

    ie Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;

To run your application under the user's Active Directory or Windows credentials, ensure these:

  • the IIS application is set to NOT allow anonymous access
  • the IIS application uses Integrated Windows authentication
  • your connection string should have Integrated Security=SSPI to ensure the user's Windows/AD credentials are passed to SQL Server.

    i.e. Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;

故人如初 2024-10-06 19:01:12

您说您不确定“如何调查它是否已设置或如何设置它”。

为此,我衷心推荐一个名为 委托配置。这是一个非常方便的应用程序,您可以告诉您 kerberos 是否设置正确。

将其解压到一个目录中,在IIS中配置一个虚拟目录指向它。浏览主页,告诉它您想要允许访问哪个后端服务器(例如 UNC、SQL、HTTP 等),它会告诉您其设置是否正确,并解释原因

如果您愿意的话,它甚至可以重新配置 kerberos 来解决问题(虽然我没有使用过这个 - 我宁愿自己重新配置它以了解我将来所做的事情)

我意识到这来得太晚了您的特定问题,但认为值得与后续其他人分享 - 特别是解释委托为何有效或无效的工具能力。我发现它非常宝贵。

You state you're not sure "how to go about investigating if it's set up or how to go about setting it up".

For this I'd heartily recommend a tool called DelegConfig. It's a very handy app that you can tell you if kerberos is setup properly.

Unzip it into a directory, configure a virtual directory in IIS to point to it. Browse to the main page and you tell it which backend server you want to allow access to (e.g. UNC, SQL, HTTP etc..) and it tell you its setup correctly or not and explain why.

It even has the abilty to recongiure the kerberos to fix the issue if you so desire (although I've not used this - I'd rather reconfiguire it myself to understand what I've done in future)

I realise this comes too late for your particular problem but thought it worth sharing for others that follow - especially the tools ability to explain why delegation is or is not working. I've found it invaluble.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文