.net Web 应用程序为用户“NT AUTHORITY\ANONYMOUS LOGON”获取登录失败
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10957443/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Web App getting Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
提问by Chad
I see that many people get this error, but their situations all appear a little different from mine.
我看到很多人都会犯这个错误,但他们的情况都和我的有点不同。
I have a ASP.NET 4.0 web app that runs in IIS 6.0 on a Windows 2003 Server.
我有一个 ASP.NET 4.0 Web 应用程序,它在 Windows 2003 Server 上的 IIS 6.0 中运行。
When I Remote to the web server box and log on there and access the site as localhostrather than by machine name, the web app works fine. However, when I access the web site from another client machine, I get the following error:
当我远程连接到 Web 服务器框并在那里登录并以localhost而不是机器名称访问该站点时,Web 应用程序工作正常。但是,当我从另一台客户端计算机访问该网站时,出现以下错误:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
The web site has Anonymous access turned Windows Authentication turned on. The web app contains the following:
该网站的匿名访问已打开 Windows 身份验证。Web 应用程序包含以下内容:
<authentication mode="Windows"> </authentication>
<identity impersonate="true"/>
<connectionStrings>
<add name="MyConnection" connectionString="Data Source=MyDbServer;Initial Catalog=MyDatabase;Integrated Security=True"
</connectionStrings>
My web server is running on a Virtual Server. Is this relevant? I assume not.
我的 Web 服务器在虚拟服务器上运行。这是否相关?我认为不是。
Note that if I add my domain\login and password in the web config after Impersonation = TRUE, the site works.
请注意,如果我在 Impersonation = TRUE 之后在 web 配置中添加我的域\登录名和密码,则该站点可以正常工作。
回答by Chris Young
It sounds like you're running into what's called a "double-hop" issue, which is where the server is not being trusted to pass the client's credentials on to another box (hop 1 is the credentials to the IIS box, hop 2 is from the IIS box to the SQL Server).
听起来您遇到了所谓的“双跳”问题,即不信任服务器将客户端的凭据传递给另一个框(跃点 1 是 IIS 框的凭据,跃点 2 是从 IIS 框到 SQL Server)。
When you're logged directly into the server, the second hop doesn't need to take place since it's just passing credentials directly from the client machine (the IIS server in this scenario) directly to the SQL Server. Likewise, if the SQL Server lived on the IIS box, you wouldn't have this error either, since the client would only be making the one request to a box that could share the credentials with both IIS and SQL Server.
当您直接登录到服务器时,不需要进行第二个跃点,因为它只是将凭据直接从客户端计算机(在此场景中为 IIS 服务器)直接传递到 SQL Server。同样,如果 SQL Server 位于 IIS 机器上,您也不会出现此错误,因为客户端只会向可以与 IIS 和 SQL Server 共享凭据的机器发出一个请求。
There are quite a few steps required to get the delegation to work, such as trusting the servers for delegation, creating SPNs and making sure that other proper permissions are given to the account that IIS is using to run the web site. There is a technet article that can help take you through a lot of the required steps here: https://docs.microsoft.com/en-us/archive/blogs/taraj/checklist-for-double-hop-issues-iis-and-sql-server
使委派工作需要很多步骤,例如信任委派服务器、创建 SPN 并确保为 IIS 用于运行网站的帐户提供其他适当的权限。有一篇技术网文章可以帮助您完成许多必需的步骤:https: //docs.microsoft.com/en-us/archive/blogs/taraj/checklist-for-double-hop-issues-iis -and-sql-server
Note:if you're using NTLM and not Kerberos (or another delegatable protocol), it will not work, as the middle server (the IIS server) needs to have a token that it can pass along. Since NTLM is based on negotiation, it won't work.
注意:如果您使用的是 NTLM 而不是 Kerberos(或其他可委托协议),它将无法工作,因为中间服务器(IIS 服务器)需要一个可以传递的令牌。由于 NTLM 基于协商,因此行不通。
回答by nunespascal
The problem here is you are using
这里的问题是你正在使用
<authentication mode="Windows"> </authentication>
This needs your browser to send NTLMcredentials. Firefox does not send this by default.
这需要您的浏览器发送NTLM凭据。默认情况下,Firefox 不会发送此信息。
When you on the the server and use localhost, your browser is sending your windows login credentials to the server. It is authenticating and giving access to the user, MyDomain\MyID.
当您在服务器上并使用 localhost 时,您的浏览器会将您的 Windows 登录凭据发送到服务器。它正在对用户 MyDomain\MyID 进行身份验证并授予访问权限。
ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous Internet user account (IUSR_machinename).
ASP.NET 模拟由 IIS 传递给它的令牌,该令牌可以是经过身份验证的用户或匿名 Internet 用户帐户 (IUSR_machinename)。
All your web requests, that occur from machines that are not on that domain, will run under the anonymous account. In your case, NT AUTHORITY\ANONYMOUS LOGON
来自不在该域中的计算机的所有 Web 请求都将在匿名帐户下运行。在你的情况下,NT AUTHORITY\ANONYMOUS LOGON
Your connection string is using, Integrated Security=True. That means the windows account under which the asp.net thread is processing must have access to the database too.
If you want to pass the the windows credentials used to login to IIS you have to set, Trusted_Connection=Yes.
您的连接字符串正在使用Integrated Security=True. 这意味着正在处理 asp.net 线程的 windows 帐户也必须有权访问数据库。如果要传递用于登录 IIS 的 Windows 凭据,则必须设置Trusted_Connection=Yes.
Refer: How to: Access SQL Server Using Windows Integrated Security
请参阅:如何:使用 Windows 集成安全性访问 SQL Server
I suggest that you take a look at forms authentication, if you plan to expose this webservice on the web, or if you want to make it available to users who are not the same domain as your server.
我建议你看看forms authentication,如果你打算在网络上公开这个 web 服务,或者如果你想让与你的服务器不在同一个域的用户可以使用它。
回答by Mike Pollitt
I found that the issue for me was that in IIS I had Windows Authentication instead of Basic Authentication enabled. As soon as I switched to Basic Authentication, I was able to access the SQL Server under the logged in account.
我发现我的问题是在 IIS 中我启用了 Windows 身份验证而不是基本身份验证。一旦我切换到基本身份验证,我就可以在登录帐户下访问 SQL Server。
In IIS, only Basic Authentication logs users on with a security token that flows across the network to a remote SQL server. By default, other IIS security modes used in conjunction with the identity configuration element settings will not result in a token that can authenticate to a remote SQL Server.
在 IIS 中,只有基本身份验证使用安全令牌登录用户,该令牌通过网络流到远程 SQL 服务器。默认情况下,与标识配置元素设置结合使用的其他 IIS 安全模式不会产生可以对远程 SQL Server 进行身份验证的令牌。
