Kerberos、基于声明的身份验证和 Sharepoint:无法连接到数据库
我有一台托管 Sharepoint 2010 的服务器。我有另一台托管 SQL Server 2008 R2 的服务器。 SharePoint 基于 Kerberos/声明。
在我的 SharePoint 上,我安装了一个自定义的 Web 部件,它使用标准连接字符串 (Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;) 连接到 SQL Server 计算机。
问题是,当 Web 部件尝试连接到 sql 服务器时,我收到以下消息:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
我们所做的:
- 验证所有 spn/委托/信任事物 - 一切似乎都正常。
- 尝试通过 UDL 文件直接从 sharepoint 计算机连接到 sql server,并且它有效。
- 尝试将 Web 部件作为单机服务器上的独立 ASPX 页面,以证明代码应该有效,并且确实有效。
- Wireshark->当 ANONYMUS LOGON 尝试连接到 sql server 时(显然),我们可以看到 KDC_ERR_S_PRINCIPAL_UNKNOWN。
- SharePoint 开发人员仪表板向我们显示了当前的用户名,该用户名不是 ANONYMUS。
- Web 部件中的跟踪显示了两件事:HTTPCONTEXT 设置为我当前的用户,Thread.Current 也是如此。
- 使用 SQL Profiler,我们可以看到该请求来自 ANONYMUS
- 我们尝试从另一个自定义 Web 部件访问另一台服务器上的 Web 服务,但由于同样的原因 (ANONYMUS) 而失败。
我们缺少什么?问题实际上似乎是 SharePoint 无法将当前用户凭据发送到另一台服务器(sql 或其他服务器)。
I have a server which hosts Sharepoint 2010. I have another server which hosts a SQL Server 2008 R2. SharePoint is Kerberos/Claims Based.
On my SharePoint, I installed a custom made webpart that connects to the SQL Server machine using standard connection string (Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;).
The problem is that when the webpart tries to connect to the sql server, I get the following message :
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
What we've done :
- Verify all spn/delegation/trusts things - everything seems okay.
- Tried to connect directly from the sharepoint machine via a UDL file to sql server, and it works.
- Tried the webpart as standalone ASPX page on a single machine server to prove the code is supposed to work, and it works.
- Wireshark -> We can see a KDC_ERR_S_PRINCIPAL_UNKNOWN when ANONYMUS LOGON tries to connect to sql server (obvisously).
- SharePoint Developer Dashboard shows us our current username, which is not ANONYMUS.
- Traces in the webpart shows two things : The HTTPCONTEXT is set to my current user, so is the Thread.Current.
- Using SQL Profiler, we can see that the request is from ANONYMUS
- We tried to access a web service on another server from another custom made webpart, and it failed for the same reason (ANONYMUS).
What are we missing? The problem really seems to be that SharePoint is unable to send the current user credential to another server (sql or not).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您是否已验证 Kerberos 是否正常工作?
下载 Kerberos 委派故障排除
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=99B0F94F-E28A-4726-BFFE-2F64AE2F59A2&displaylang=en
Have you verified that Kerberos is working ?
Download the Troubleshooting Kerberos Delegation
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=99B0F94F-E28A-4726-BFFE-2F64AE2F59A2&displaylang=en