IIS 到 SQL Server kerberos 身份验证问题
我们有一个第三方产品,允许我们的一些用户通过单独服务器 (SvrWeb) 上的网站操作数据库(我们称之为 SvrSQL)中的数据。
在 SvrWeb 上,我们为此应用程序设置了一个特定的非默认网站,因此无需访问 http://SvrWeb.company。 com 访问我们使用 http://application.company.com 的网站,该网站解析为 SvrWeb并且主机标头解析到正确的网站。
还为此站点设置了一个特定的应用程序池,它使用我们称为“company\SrvWeb_iis”的 Active Directory 帐户标识。我们设置为允许对此帐户进行委派,并允许它模拟我们希望它执行的另一个登录。 (我们希望此帐户将登录网站的人员的 AD 凭据传递到 SQL Server,而不是服务帐户。
我们还通过以下命令为 SrvWeb_iis 帐户设置 SPN: setspn -A HTTP/SrvWeb.company.com SrvWeb_iis
网站已启动,但网站中调用数据库的部分返回消息: 无法执行数据库查询。 用户“NT AUTHORITY\ANONYMOUS LOGON”登录失败。
我以为我们已经正确设置了 SPN 信息,但是当我检查 SrvWeb 上的安全事件日志时,我看到了我的登录条目,但它似乎使用的是 NTLM 而不是 kerberos:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
详细介绍此设置的任何想法或文章将不胜感激!
如果有帮助的话,我们正在使用 SQL Server 2005,并且 Web 和 SQL 服务器都是 Windows 2003。
We have a 3rd party product that allows some of our users to manipulate data in a database (on what we'll call SvrSQL) via a website on a separate server (SvrWeb).
On SvrWeb, we have a specific, non-default website setup for this application so instead of going to http://SvrWeb.company.com to get to the website we use http://application.company.com which resolves to SvrWeb and the host headers resolve to the correct website.
There is also a specific application pool set up for this site which uses an Active Directory account identity we'll call "company\SrvWeb_iis". We're setup to allow delegation on this account and to allow it to impersonate another login which we want it to do. (we want this account to pass along the AD credentials of the person signed into the website to SQL Server instead of a service account.
We also set up the SPNs for the SrvWeb_iis account via the following command:
setspn -A HTTP/SrvWeb.company.com SrvWeb_iis
The website pulls up, but the section of the website that makes the call to the database returns the message:
Cannot execute database query.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I thought we had the SPN information set up correctly, but when I check the security event log on SrvWeb I see entries of my logging in, but it seems to be using NTLM and not kerberos:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Any ideas or articles that cover this setup in detail would be extremely appreciated!
If it helps, we are using SQL Server 2005, and both the web and SQL servers are Windows 2003.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
kerberos 失败的可能原因有多种,其中包括缺少 SPN 和重复的 SPN。
如果 SQL 在自定义帐户下运行,您还需要为 SQL 添加 SPN。
另请记住,您应该为 FQDN 添加 SPN,FQDN 是 DNS 中的主机 (A) 条目,而不是 CNAME。
检查 NTAuthenticationProviders 的值
http://support.microsoft.com/kb/215383
尝试 DelegConfig 它会显示缺少的内容如果是 SPN 或其他什么。
http://www.iis.net/community /default.aspx?tabid=34&g=6&i=1887
There are several possible reasons for kerberos failures which includes lack of SPN and duplicate SPN as well.
If SQL is running under custom account you would need to add SPN for SQL as well.
Also keep in mind, you should be adding SPN for the FQDN which is the host (A) entry in DNS and not a CNAME.
Check the value of NTAuthenticationProviders
http://support.microsoft.com/kb/215383
Try DelegConfig which would show what is missing if its SPN or something else.
http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887