I am trying to use IIS 7.5 Application Pool identity as login on SQL Server 2008 R2 so that my ASP.NET web app can connect to the database...
我试图使用IIS 7.5应用程序池身份登录SQL Server 2008 R2,以便我的ASP.NET Web应用程序可以连接到数据库...
Using this approach worked fine on my local dev machine (IIS 7.5 and SQL Server 2008 R2 on same machine).
使用这种方法在我的本地开发机器(同一台机器上的IIS 7.5和SQL Server 2008 R2)上运行良好。
However, when I try to set up the same on production (IIS and SQL servers are separate) I am unable to add "IIS APPPOOL\MyAppAppPool" login to SQL Server 2008 R2.
但是,当我尝试在生产中设置相同(IIS和SQL服务器是分开的)时,我无法将“IIS APPPOOL \ MyAppAppPool”登录添加到SQL Server 2008 R2。
Notice that in either case you cannot use "Browse..." when creating a login in SQL Server since "IIS APPPOOL\MyAppAppPool" user identity is dynamic (or "special")...
请注意,在任何一种情况下,在SQL Server中创建登录时都不能使用“浏览...”,因为“IIS APPPOOL \ MyAppAppPool”用户身份是动态的(或“特殊”)...
Any ideas?
有任何想法吗?
Update:
更新:
For more info on Application Pool Identities see here.
有关应用程序池标识的更多信息,请参阅此处。
From article:
来自文章:
Whenever a new Application Pool is created, the IIS management process creates a security identifier (SID) that represents the name of the Application Pool itself. For example, if you create an Application Pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console.
每当创建新的应用程序池时,IIS管理进程都会创建一个安全标识符(SID),表示应用程序池本身的名称。例如,如果创建名为“MyNewAppPool”的应用程序池,则会在Windows安全系统中创建名为“MyNewAppPool”的安全标识符。从现在开始,可以使用此标识来保护资源。但是,身份不是真实的用户帐户;它不会在Windows用户管理控制台中显示为用户。
1 个解决方案
#1
3
That articles states (under "Accessing the Network") you still use the <domainname>\<machinename>$ aka machine account in the domain.
该文章指出(在“访问网络”下)您仍然使用域中的
So if both servers are in "foobar" domain, and the web box is "bicycle", the login used to the SQL Server Instance is foobar\bicycle$
因此,如果两个服务器都在“foobar”域中,并且Web框是“bicycle”,则用于SQL Server实例的登录名为foobar \ bicycle $
If you aren't in a domain, then there is no common directory to authenticate against. Use a SQL login with username and password for simplicity
如果您不在域中,则没有用于进行身份验证的公共目录。为简单起见,请使用带有用户名和密码的SQL登录
Edit, after comment
评论后编辑
If the domains are trusted then you can use the machien account still (use domain local groups for SQL Server, into which add a global groups etc)
如果域是可信的,那么您仍然可以使用machien帐户(使用SQL Server的域本地组,添加全局组等)
As for using app pool identities, they are local to your web server only as per article. They have no meaning to SQL Server. If you need to differentiate sites, then use proper domain accounts for the App Pools.
至于使用应用程序池标识,它们只是根据文章在您的Web服务器本地。它们对SQL Server没有任何意义。如果您需要区分网站,请使用适当的域帐户作为应用程序池。
You can't have it both ways...
你无法双管齐下......
#1
3
That articles states (under "Accessing the Network") you still use the <domainname>\<machinename>$ aka machine account in the domain.
该文章指出(在“访问网络”下)您仍然使用域中的
So if both servers are in "foobar" domain, and the web box is "bicycle", the login used to the SQL Server Instance is foobar\bicycle$
因此,如果两个服务器都在“foobar”域中,并且Web框是“bicycle”,则用于SQL Server实例的登录名为foobar \ bicycle $
If you aren't in a domain, then there is no common directory to authenticate against. Use a SQL login with username and password for simplicity
如果您不在域中,则没有用于进行身份验证的公共目录。为简单起见,请使用带有用户名和密码的SQL登录
Edit, after comment
评论后编辑
If the domains are trusted then you can use the machien account still (use domain local groups for SQL Server, into which add a global groups etc)
如果域是可信的,那么您仍然可以使用machien帐户(使用SQL Server的域本地组,添加全局组等)
As for using app pool identities, they are local to your web server only as per article. They have no meaning to SQL Server. If you need to differentiate sites, then use proper domain accounts for the App Pools.
至于使用应用程序池标识,它们只是根据文章在您的Web服务器本地。它们对SQL Server没有任何意义。如果您需要区分网站,请使用适当的域帐户作为应用程序池。
You can't have it both ways...
你无法双管齐下......