Here's the situaiton. I'm working on developing a new website to access an old database. This is a DoD installation so there's lots of security around.
这是情境。我正在开发一个新网站来访问旧数据库。这是一个DoD安装,因此有很多安全性。
The current application is written in classic ASP, VBScript and some javascript. The new systems is ASP.NET.
当前的应用程序是用经典的ASP,VBScript和一些javascript编写的。新系统是ASP.NET。
Accessing the database in the old system meant hitting the server with your own credentials (domainname\username). Now I'm trying to test some of the early development I've done. When I used Cassini (under VS2008), I had no trouble getting to the database because ourdomain\myusername registered with the SQL Server instance as a trusted connection. Due to security aspects that I have to write, Cassini can't serve as a test server anymore - I have to use IIS (we have security card readers here). Cassini can't handle them.
访问旧系统中的数据库意味着使用您自己的凭据(domainname \ username)命中服务器。现在我正在尝试测试我已经完成的一些早期开发。当我使用Cassini(在VS2008下)时,我没有遇到数据库,因为我们的域名\ myusername在SQL Server实例中注册为可信连接。由于我必须编写的安全方面,Cassini不能再作为测试服务器 - 我必须使用IIS(我们这里有安全卡读卡器)。卡西尼无法处理它们。
So when I went through all the problems of getting the appropriate accounts added to Administrators on my local pc so that I could debug in VS2008 while using IIS, I tried to connect to the database and I was rejected because MYPC\ASPNET was not a trusted connection.
因此,当我解决所有问题,即在我的本地电脑上添加适当的帐户添加到管理员,以便我可以在使用IIS时在VS2008中进行调试,我试图连接到数据库而我被拒绝,因为MYPC \ ASPNET不是受信任的连接。
Altering the existing database is out of the question. Hard coding usernames and passwords for access to the database is out of the question.
改变现有数据库是不可能的。用于访问数据库的硬编码用户名和密码是不可能的。
I asked the DBA if he could add MYPC\ASPNET to of the domain groups so that SQL Server could see it as a trusted connection (since MYDOMAIN\MYNAME was in a group that was seen as a trusted connection). He tells me that is not technically possible.
我问DBA他是否可以将MYPC \ ASPNET添加到域组中,以便SQL Server可以将其视为可信连接(因为MYDOMAIN \ MYNAME位于被视为可信连接的组中)。他告诉我,这在技术上是不可能的。
In the end there are going to be three or four machines (mine, another developer, the eventual live web server and a future test web server) who's ASPNET accounts are going to be hitting our two SQL servers (live and test).
最终将会有三到四台机器(我的,另一台开发人员,最终的实时网络服务器和未来的测试网络服务器),他们的ASPNET帐户将会击中我们的两台SQL服务器(实时和测试)。
What do I have to do to make the existing SQL server see me as Friend and not Foe? I looked at impersonation but I get the impression it's not compatible with our system - the business rules make a call to a common routine to create a SqlConnection object and open it (maybe even a SqlTransaction object to go with it) and this object is used for the rest of the business rules and data-access layer until it's done. It didn't look like impersonation would persist once the SqlConnection was opened (and passed, ByRef back to the calling routine)
我需要做些什么才能让现有的SQL服务器将我视为朋友而不是敌人?我看了模仿,但我得到的印象是它与我们的系统不兼容 - 业务规则调用一个公共例程来创建一个SqlConnection对象并打开它(甚至可能是一个SqlTransaction对象),并且使用了这个对象对于其余的业务规则和数据访问层,直到完成为止。一旦SqlConnection被打开(并且传递,ByRef回到调用例程),它看起来不会持续存在
Thanks in advance for any advice.
提前感谢任何建议。
4 个解决方案
#1
You have two options:
你有两个选择:
- Run your web application in an application pool configured to run in the context of a domain account
- Use impersonation and configure your web application to use windows authentication only
在配置为在域帐户的上下文中运行的应用程序池中运行Web应用程序
使用模拟并将Web应用程序配置为仅使用Windows身份验证
#3
As has already been suggested you should use impersonation.
正如已经建议你应该使用模仿。
However if your SQL Server is running on a different machine than your web server then impersonation will not suffice as the credentials of the user will not be delegated to the SQL Server (server hop). In that case you will have to either enable delegation in the AD or create a non-Windows login on your SQL Server and use that instead (this will not work if your SQL Server actually uses the Windows login for access control to tables etc.).
但是,如果您的SQL Server在与Web服务器不同的计算机上运行,则模拟将不足以满足用户的凭据不会委派给SQL Server(服务器跃点)。在这种情况下,您必须在AD中启用委派或在SQL Server上创建非Windows登录并使用它(如果您的SQL Server实际使用Windows登录对表等进行访问控制,这将不起作用) 。
#4
Sounds like you want to impersonate the client who is accessing your web site correct? Have you tried to use impersonation or are you assuming it won't work?
听起来你想冒充正常访问你网站的客户?您是否尝试使用模拟,或者您认为它不起作用?
Edit
As Albert points out, impersonation requires the user to be authenticated using Windows authentication. You will want to disable Anonymous Access, and enable Windows Authentication in IIS Management tool.
正如Albert指出的那样,模拟需要使用Windows身份验证对用户进行身份验证。您将需要禁用匿名访问,并在IIS管理工具中启用Windows身份验证。
#1
You have two options:
你有两个选择:
- Run your web application in an application pool configured to run in the context of a domain account
- Use impersonation and configure your web application to use windows authentication only
在配置为在域帐户的上下文中运行的应用程序池中运行Web应用程序
使用模拟并将Web应用程序配置为仅使用Windows身份验证
#2
Use Impersonation
#3
As has already been suggested you should use impersonation.
正如已经建议你应该使用模仿。
However if your SQL Server is running on a different machine than your web server then impersonation will not suffice as the credentials of the user will not be delegated to the SQL Server (server hop). In that case you will have to either enable delegation in the AD or create a non-Windows login on your SQL Server and use that instead (this will not work if your SQL Server actually uses the Windows login for access control to tables etc.).
但是,如果您的SQL Server在与Web服务器不同的计算机上运行,则模拟将不足以满足用户的凭据不会委派给SQL Server(服务器跃点)。在这种情况下,您必须在AD中启用委派或在SQL Server上创建非Windows登录并使用它(如果您的SQL Server实际使用Windows登录对表等进行访问控制,这将不起作用) 。
#4
Sounds like you want to impersonate the client who is accessing your web site correct? Have you tried to use impersonation or are you assuming it won't work?
听起来你想冒充正常访问你网站的客户?您是否尝试使用模拟,或者您认为它不起作用?
Edit
As Albert points out, impersonation requires the user to be authenticated using Windows authentication. You will want to disable Anonymous Access, and enable Windows Authentication in IIS Management tool.
正如Albert指出的那样,模拟需要使用Windows身份验证对用户进行身份验证。您将需要禁用匿名访问,并在IIS管理工具中启用Windows身份验证。