在 IIS7 中通过 PHP 连接到 SQL SERVER 2008(使用 Windows 身份验证)?
我需要通过 PHP 代码使用 Windows 身份验证连接到 Sql Server 2008,方法是传递用户名和密码,就像我们使用 SQL 身份验证连接到 Sql Server 时所做的那样。我需要根据 Windows 身份验证的 User/Password 对用户进行身份验证。
当我使用 SQL 身份验证时,我能够通过在数据源 (ODBC) 配置工具中创建名为 DBconnect 的系统 DSN 进行连接。然后,我可以使用 SQL Server 身份验证成功验证登录 ID,并使用用户通过以下 php 代码输入的登录 ID 和密码连接到数据库:
$con = odbc_connect("DBconnect", "sql_user", "sql_password");
现在,当 SQL Server 使用 Windows 身份验证时,我需要执行相同的操作。 我想在数据源 (ODBC) 配置工具中创建一个名为 DBConnect_NT 的系统 DSN,并将其设置为使用网络登录 ID 通过 Windows 身份验证验证登录 ID 的真实性。
我有这段代码:
$con = odbc_connect("DBconnect_NT", "windows_user", "windows_pass");
但它不起作用。我收到此错误:
查询准备/执行时出错。 28000
我更改了 IIS7 管理器的“身份验证”部分中的一些设置
Windows Authentication = Enabled
Anonymous Authentication = Disabled
现在我可以使用此代码:
$con = odbc_connect("DBconnect_NT", "", "");
并且我看到一个弹出窗口提示我登录。当我输入用户名和密码时,它会进行连接,因此允许我使用相同的 $con 连接对象执行其他查询。
不幸的是,我无法根据这种方法对网站的用户进行身份验证。当我在弹出窗口中输入错误的用户名和密码时,它没有响应(弹出窗口再次出现)。如果我取消弹出窗口,它将显示此 401 错误:
401 - 未经授权:由于凭据无效,访问被拒绝。
我是否使用正确的方法通过 Windows 身份验证连接到 SQL Server? 是否有其他可能的方法通过动态传递 Windows 身份验证用户名和密码来连接 SQL Server?
我还尝试使用 LDAP 对 Active Directory 进行身份验证,但它不起作用。
我在 Amazon EC2 计算机中使用 SQL SERVER 2008、IIS7 和 PHP5.3。
这是我使用 http://example.net/Webservice/connect.php 构建的 Flex 应用程序。 Flex 动态地将用户名/密码从表单传递到此弹出窗口,从而进行连接。但是,当提供错误的用户名/密码时,弹出窗口很难处理。它不断返回并且 Flex 应用程序挂起。
如果在弹出窗口中输入错误的用户名/密码时可能收到错误代码,则可能会解决问题。使用 Windows 身份验证连接 SQL Server 并直接传递用户名/密码的其他一些方法也可以解决我的问题。
I need to connect to Sql Server 2008 using windows authentication from PHP code by passing the username and password like we do when we connect to Sql Server with SQL Authentication. I need to authenticate the user based on Windows Authentication's User/Password .
When I was using SQL Authentication I was able to connect by creating a System DSN named DBconnect in the Data Source (ODBC) configuration tool. Then I could successfully verify the login ID with SQL Server Authentication and connect to the database using Login ID and Password entered by a user with this php code:
$con = odbc_connect("DBconnect", "sql_user", "sql_password");
Now I need to do the same thing when SQL Server is using Windows Authentication.
I want to create a System DSN named DBConnect_NT in Data Source (ODBC) Configuration tool and set it to verify the authenticity of the login ID with Windows Authentication using the network login ID.
I have this code:
$con = odbc_connect("DBconnect_NT", "windows_user", "windows_pass");
But it doesn't work. I get this error:
Error in query preparation/execution. 28000
I changed some settings in the Authentication section of IIS7 Manager
Windows Authentication = Enabled
Anonymous Authentication = Disabled
Now I can use this code:
$con = odbc_connect("DBconnect_NT", "", "");
and I see a popup prompting me to login. As I type username and password, It connects and hence allows me to do other queries using same $con connection object.
Unfortunately, I'm not able to authenticate the user for the web site based on this approach. When I type wrong username and password to the popup it gives no response (the popup comes again). If I cancel the popup, it will show this 401 error:
401 - Unauthorized: Access is denied due to invalid credentials.
Am I using correct way to connect to SQL Server via Windows authentication?
Is there some other possible way to connect SQL Server by passing the Windows Authentication username and password dynamically?
I have also tried using LDAP to authenticate against Active directory, but its not working.
I'm using SQL SERVER 2008,IIS7 and PHP5.3 in an Amazon EC2 machine.
This is for a flex application I'm building using http://example.net/Webservice/connect.php. Flex dynamically passes the username/password to this popup from a form and hence connects. But when wrong username/password are supplied the popup is difficult to handle. It comes back continuously and the flex application hangs .
If it is possible to receive an error code when the wrong username/password are entered in the popup it may solve the issue. Some other method to connect SQL Server using Windows Authentication and pass the username/password directly would also solve my problem.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
当您使用 Windows 身份验证时,Sql Server 根本看不到您的用户名或密码。停下来再读一遍这句话,因为理解这一点非常重要。
要使 Windows 身份验证发挥作用,您必须首先直接通过 Active Directory 域控制器 (DC) 进行身份验证。当您成功登录时,DC 将为您的会话颁发一个安全令牌。您提供的此令牌是为了使 Sql Server Windows 身份验证发挥作用,而不是您的用户名或密码。 Sql Server 仅验证令牌。
这就是 LDAP 方法不起作用的原因。 LDAP 仅提供来自 Active Directory 的“是/否”响应。 LDAP 不提供您需要的安全令牌。可以将其视为在 Windows 中相当于对 Linux 服务器使用证书身份验证的情况。此外,此令牌与建立连接的进程相关联。它不是您可以在连接对象上设置的属性。这是一项安全功能,可防止窃取或劫持代币。
这会在网站中产生问题,您需要一种方法来存储和管理网站每个用户的令牌,并将其附加到您的 Web 服务器进程。 IIS 为此提供了一种称为模拟的机制。它最初是为 ASP.Net 构建的,但似乎 FastCGI 确实通过
php.ini中的fastcgi.impersonate设置文件。但请注意,我个人从未尝试过使用它,所以我无法评价它的效果如何。您还需要一种方法来连接到公共页面上的数据库预身份验证,以及一种将身份验证连接到 Active Directory 帐户的方法,这将限制您可用的身份验证机制。我自己不是普通 PHP 用户,也不知道您的 AD 环境与 EC2 Web 服务器实例有何关系,这就是我所能为您提供的信息。
When you use Windows Authentication, Sql Server does not see your username or password at all. Stop and read that sentence again, because it's very important to understand this.
For Windows Authentication to work, you must first authenticate directly with an Active Directory Domain Controller (DC). When you successfully log in, the DC will issue a security token for your session. It's this token you provide for Sql Server Windows Authentication to work, and not your username or password. Sql Server only verifies the token.
This is why the LDAP methods do not work. LDAP only provides a "yes/no" response from Active Directory. LDAP does not provide the security token you need. Think of it as the Windows equivalent to using Certificate Authentication to a linux server. Moreover, this token is associated with the process making the connection. It's not a property you can just set on a connection object. This is a security feature to make it difficult to steal or hijack tokens.
That creates problems in a web site, where you need a way to store and manage the token for each user of the site, and attach it to your web server process. IIS provides a mechanism for this called Impersonation. It was built originally for ASP.Net, but it seems FastCGI does support it via the
fastcgi.impersonatesetting in thephp.inifile. But note I've never personally tried to use this, so I can't speak to how well it works.You also need a way to connect to the DB on public pages pre-authentication, and a way to connect the authentication to the Active Directory account, which will limit authentication mechanisms available to you. Not being a regular PHP user myself, and not knowing how your AD environment relates to your EC2 web server instance, this is as far as I can take you.
要对 sql server 使用 Windows 身份验证,无需指定用户名和密码。相反,您可以更改连接字符串以实现集成安全性,如下所示:
或受信任连接的变体:
或者,如果您使用 ODBC DSN,请以类似的方式跳过用户名和密码。
最重要的是,您需要了解在这种情况下与数据库的 Windows 用户连接是运行您的站点的 IIS 帐户。您所做的 Windows 身份验证内容将是本地 Intranet:您的所有用户都是 Windows 域的一部分,或者与其信任。
如果您在此处搜索 IIS PHP 和 SQL Server,您将获得一些可能有用的信息。
To use windows authentication for sql server, you don't specify user name and password. Instead, you change the connection string for integrated security, as in:
or the variant for trusted connections:
Or if you are using an ODBC DSN, skip user names and password in a similar way.
On top of that, you need to be understand the Windows user connection to the db in this situation is the IIS account running your site. The Windows Authentication stuff you did would be a local intranet: all your users are part of a Windows domain, or have a trust with it.
If your search on here for IIS PHP and SQL server, you'll get some info that might be useful.