???? Microsoft SQL Server 2000 ?? ???????? ?????????? ?? ????? ?? ???? ??? SQL Server 2000 ?? ?? ??????? Microsoft Windows 2000 ?? Microsoft Windows Server 2003 ?????? ?????????? ????? ??????? ?? ?? ??? ?? ??? ??? ?? ??????????? ?? ?????? ???? ??? Microsoft Windows 2000 ?????? ??? 3 (SP3) ?? Windows Server 2003, ?? ??? ????? ????????? ?? Kerberos ?????????? ????? ?? ???? ????
?? ???????? ???????????? ?? ???? ??? ???? ??????? ?? ??? Microsoft ???????? ??? ???? ????? ?? ??? ????? ???? ?????? ?? ????? ????:
235529
(http://support.microsoft.com/kb/235529/
)
Windows 2000-?????? ????? ????????? ?? Kerberos ??????
???:?? ?? ??????????? ?? ????? ???? ?? ???? ???, ??? ?? Windows 2000 SP3 ?? Windows Server 2003 ??? ??? ????
SQL Server 2000 ?? ?? ??????????? ?? ????? ???? ?? failover clustering. ?? ??????? ??? ??? ?? Windows 2000-?????? ??????? ?? ?????? SQL ????? ?? ?????? ??, ????? ?? ???? ??? Kerberos ?????????? ?????? ?? ???? ???????? ?? ??? ???????? ?? Windows 2000 SP3 ?? Windows Server 2003 ?? ???? SQL ????? ??????? ???? ?? ??? clustering, failover ?????? ??????? ??????? ???? ?? ???? Microsoft SQL Server 2000 ??????????? ??????? ?????? ???
???:????????? ?? ????? ?? ???? ??? SQL Server 2000 ?? ??? ???? ???? ?? ?? ???? ???? ?? ??? SQL Server 2005? SQL ????? 2005 ??? ?? ???? ?? ???? ??? ???? ??????? ?? ??? SQL Server 2005 ???????? ?????? ??? ????? ???? ?????:
- ????: SQL ????? ?? ????? ????????? ??????? ????? ???? Kerberos ?????????? ????? ????
- ???? ?? ????? ??? ?? ??????
????????? ???? ?? ?? SQL Server 2005 ??? ???????? ?????????? ?? ????? ?? ??? ??? ???? ?? ??? ???? ???? ?? ???? ??? ???? ??????? ?? ??? Microsoft ???????? ??? ???? ????? ?? ??? ????? ???? ?????? ?? ????? ????:
909801
(http://support.microsoft.com/kb/909801/
)
????????? ???? ?? ?? ????? ?? ??? Kerberos ?????????? ?? ?? ???? SQL Server 2005 ?? ?? ?????? ?? ??? ?????? ??????? ????? ?? ??? ???? ????
SQL ????? ????? ????????? ?? ??? ???????? ?????????? ?? ????? ?? ???? ???? SQL ????? ?? ??? ??????-???? ???????? ?? ??? ?? ?????????? SQL ????? ?? ??? ??????? ????? ?? ?? ??? ?? ??? ?? ???????? ?????????? ?? ????? ?? ?????
Microsoft ??????? ????? ???? ?? ??? ????? ?? ?????? ?? ?? SQL Server 2000 ?? ??? ??? Kerberos ??????? ?????
?? ??? ?? ????? ???? ?? ?? Microsoft ??????? ?????????? ???????? (IIS) ??????? ???? ?? ??? ??? Kerberos SQL ????? ?? ??? ????? ?? ?? ??? ????? ?? ?????? ???? ?? ??? ???? ?????
???:???? ???? ?? ?? ????? ????????? ????, Kerbtray ?? SetSPN ?????????? ?? ??? ????????
Kerbtray ?????? ?? ??????? ???? ?? ??? ????? Microsoft ??? ???? ?? ????:
Kerbtray.exe, ?? ??? ?? ?? ???? ??? ????? ?? ???? ???? ?? ??????? (?? ?????) ?? ??? ?? ????? ?? ?? ??? ??? ?? ??????? ?????????? Kerberos ?????
SetSPN ?????? ?? ??????? ???? ?? ??? ????? Microsoft ??? ???? ?? ????:
????? ????????? ?????? ???? ?? ???? ?? ?? ????? ???? IIS ????? ?? ?????? ?? Kerberos ?????????? SQL ????? ?? ??? ?? ?? ???? ????? ?? ??????? ?? ??? ????? ???? ?? ?? ?????? ?????
??? 1: ???????? ????? ????????
??? ????? ???????? ??, ?????? ??????????? ?????????? ?? ???????? ???:
- ?? ???????? (IIS ???? ?????) ?? ??? ??? ???? ?????, ?? ?? ?? ??? ???? ?? ??? ????? ???? ?? ???????? ?? ????-????? ???????????? ?? ??? ?? ???????? ?? ??????? ????. ??? SQL Server ??? ??? ???????? ?? ???? ????? ???????? ?????? ???? ?? ??? ????? ???? ?? ????? ?? ???????? ?? ??? ???? ??? ?? ????? ??, ?? ?????? ?? ???????? ?? ?????? ?? ??? ??? ?? ???????? ??? ????? ???????? ???? ??, ?? intermediaries ??? ?????????? ???????? ?? ??? ????????? ???? ??????
- SQL ????? ???? ???? ????? ?????????? ???? ?? ??? ???????? ?? ?????? ???? ??? ????? ?????????? ???? ????? SQL ????? ??????? ?? ??? (?? ??? ???? ?? ?? ?????????? SQL ????? ?? ??? ??? ?? ???? ??????? ?????? ???? ?? ????? ???? ?? ??? ??????) ???? ?????? ??:
- ?????Users?????? ?? ???, ?????????? ???? ?? ????-????? ????, ?? ???? ??????.
- ?????????? ???? ??? ????? ????? ??? ????? ??????????? ?? ????? ????..
- ?? ??????????? ?? ??????, ?? ??? ???? ?? ??? ????? ???????? ?? ??? ????????? ?? ??????????? ?????. ????????? ???? ?? ?????? ????????? ?? ?? ???????????? ???? ???? ?? ?????? ???? ?? ??? ??? ????? ???? ?? ???
???:???? ?? ?? ??? delegating ??????????? ?????? SQL ????? ?? ???? ?????? SQL ????? ???? ?????? ???????? (???? ??? ?? ????? ??????) Windows ?????????? ?? ????? ???? ???? ?? ??? ??? ????? hop ???????? ??? '???? ???????? ?? ??? ????????? ??' ???? ?? SQL ????? ???? ???? ?? ??? ?????? ???
???:???? Windows 2000 ????? ?? ??? ?? ????? ?? ???? ????? ??? ?? Windows Server 2003 ?? ????? ?? ??? ???, ?? ????? Microsoft ?????? ??????? (MSDN) ??? ???? ?? ????: - ?????? ???? ?? ??? Kerbtray.exe ?????? ?? ????? ?? Kerberos ???? ????? ???????? ?? ????? ?? ??????? ??? ??:
- ????? ??????? ??? Kerbtray ????? ?? ????-????? ????, ?? ???? ??????? purge.
- ???? ??? ?? ????? ?? ??? ??? Kerbtray ????? ?? ??? ????????? ????? ???? ?? ?? ???? ??, ?? ????? ????????? ????? ????? ?? ?? ?? ???? ?????:
???? NET * /d
?? ???? ??????? ???? ?? ????, ?? ??? ??? ???? ??? ??????? ???? ?? ???? ?? ??? Kerberos ???? ??????? ?????????
??? 2: IIS ???? ????? ???????? ????
- ?????. asp ??????? ?? ??? ??????? ??? ???? Wwwroot ??????? ?? ???????????? ????? ?????. asp ??????? ?????, "ASP ??????? SQL Server ???? ????????????? ?? ??? ????????? ????" ??? ??? ??? ?? ??? ?? ????? ?????
- Wwwroot ??????? ??? ????? ??????? ??? ???? ?? ???, "ASP ??????? ????????? ?? ??? SQL Server ???? ????????" ??? ??? ????? ??? ?? ????? ?????
????? ?? Default.asp ?? ??? ??? ???????
- ?????? Windows ?? ????? ???? ?? ??? ??? ????? re-CONFIGURE ???? ???????:
- ??????? ??? ????? ?? ????-????? ????, ?? ???? ??? ??????? ??????? ????? ?????
- ??????? ??????? ??? ??? ???????? ????, ?? ?? ??? ???? ?? ??? ????? ???????? ?????.
- ?? ????? ????????? ?? ?? ???? ?????:
cscript C:\Inetpub\Adminscripts\adsutil.vbs get
w3svc/NTAuthenticationProviders
???Negotiateis enabled, the following is returned: NTAuthenticationProviders : (STRING) Negotiate,NTLM
215383
(http://support.microsoft.com/kb/215383/
)
??????? ??????? ?? ??? Kerberos ????????? ?? NTLM ????????? ?? ?????? ???? ?? ??? IIS ?? ???????? ???? ????
???- You must install Microsoft Data Access (MDAC) 2.6, or later, on
the IIS Services server. To do so (and to make the tools available for
testing), install the SQL Server 2000 client tools to the Web server. To
install only MDAC 2.6, or later (without installing the client tools), visit
the following Microsoft Web site:
- IIS is a common middle tier system. However, IIS is not the only middle tier system. If IIS is not the middle tier system in your environment, follow the appropriate steps for your middle tier system.
- ?????? ???? ??
HKLM\SW\MS\MSSQLSERVER\Client\DSQUERY
value is present in the registry. If the value is not displayed, add it asDSQUERY:Reg_SZ:DBNETLIB
. - Use the Kerbtray.exe utility to verify that Kerberos
tickets were received from the domain controller and host:
- Right-click the Kerbtray icon in the notification area,
and then clickpurge tickets.
- Wait for the green Kerbtray icon to change from green
to yellow. As soon as this occurs, open a command prompt window and run this
command:
net session * /d
This will drop the existing sessions, and force a new session to
be established and a Kerberos ticket received.
Step 3: Configure the SQL Server service to create SPNs dynamically
??? ???? ?? ???, ?? ?????? ?????????? ?????????? ???? ??? SQL ????? ???? ???? ?? ??? ????? ????? ???????? ???????? ???? ?????? ??:
- ServicePrincipalName ?????
- ServicePrincipalName ?????
??????????- ??? ?? ?????? ?????????? ???? ??????? (ADSI) ?????? ?????-??, LDP ?????? ?? LDAP 3 ??????? ?? ????? ?? ?????? ??????? ??? ??? ?? ?????? ?????????? ???????? ?? ????????? ???, ?? ????? ???????? ??? ?? ???????? ?? ?? ???? ?? ??? ?? Microsoft Exchange 2000 Server ?? Microsoft Exchange Server 2003 ?? ???????????? ???? ??? ???? ??? ??? ?????? ???, ?? Microsoft Windows 2000 ????? ?? Microsoft Windows Server 2003 ?? ???????????? ???? ?? Exchange 2000 Server ?? Exchange Server 2003 ?? ??? ?? ???????????? ???? ??? ???? ??? ?? ?????? ?? ???? ?? ?? ?? ???????? ?? ?? ???? ???? ?? ????????? ?? ???? ????? ?? ??????? ?????
- ?? ??? ?? ???? ????? ???? ????? ?????????? ?? ??? ???? ???????? ??? ??, ?? ???? ????? ?????????? ?? ???? ????????? ?? SQL Server ????????? ???? ?? ??? ??????? ?????????? ?????? ???? ????? ???? ?????
????? ?? ??? SPNs ?????? ??? ?? SQL ????? ???? ??????? ?? ???? ?? ?? SQL ????? ???? ?? ???????? ???? ?? ??? ????? ????? ?? ???? ????:
- ????? ????,???????????? ????,???????????:Adsiedit.msc?? ????-????? ????, ?? ???? ???OK.
???:ADSIEdit ????? ??? ????? ?? Windows ?????? ?????? Windows ?????? ????? ?? ??????? ???? ?? ??? ????? Microsoft ??? ???? ?? ????: - ADSI ?????? ?????-?? ???, ??????? ????????? [DomainName], ??????? ????DC =RootDomainName, ??????? ????CN ?????????? =, ????-????? ????CN =AccountName?? ????-????? ????, ?? ???? ??????.
???- DomainName????? ?? ??? ?? ??? ?? ??????????? ???
- RootDomainName??? ????? ?? ??? ?? ??? ?? ??????????? ???
- AccountNameSQL ????? ???? ?? ??????? ???? ?? ??? ????????? ???? ?? ??? ?? ??????????? ???
- ??? SQL ????? ???? ?? ??????? ???? ?? ??? ??????? ?????? ???? ????????? ????AccountNameMicrosoft Windows ?? ??? ?? ???? ?? ????? ???? ???? ???? ?? ??? ?? ??????????? ???
- ??? SQL ????? ???? ?? ??????? ???? ?? ??? ??? ????? ?????????? ???? ????????? ????AccountName????? ?????????? ???? ?? ??? ?? ??????????? ???
- ?????CN =AccountName???????? ????? ???, ????? ?????????????? ?? ????? ????..
- ????? ?????????????? ??,?????.
- ?????????? ??????? ????????????? ????? ???, ????????? ???? ?? ????????? ??????? ???????? ???????? ????????????.
?????????? ???? ??? ????, ????? ????add, ?? ???? ??? ??????????. - ?? ????????????? ????????????????? ????,??????? ????-????? ????, ?? ???? ?????????.
- ??????????? ?????????????? ????? ???, ????? ?????????? ?? ????? ????..
- ????? ?????????? ??,?? ??????????????? ???? ????????, ?? ???? ??? ?? ?? ??????? ????? ????????? ?? ??? ??? ????? ?? ??? ???? ?? ????????????:
- ServicePrincipalName ?????
- ServicePrincipalName ?????
- ????? ????,OK?? ?? ??? ????? ????..
???:?? ????????? ?? ??? ??? ?? ??? ?????? ?????????? ?????? ?????? ?? ?????? ????, ?? ?? Microsoft ???????? ???? mention.
???:??? self ???? ????? ServicePrincipalName ?????? ?? ?? ????????? ???? ?? ??? dsacls ????? ?? ????? ????, ?? ?????dsacls????? ???????? ????? ??:dsacls <distinguished_Name_of_service_account>
Allow NT Authority\SELF SPECIAL ACCESS for Validated Write to Service principal name
WRITE PROPERTY
- ?????CN =AccountName???????? ????? ???, ????? ??????????? ??????.
- ?? ????????????????????? ????,servicePrincipalName?????????????????, ?? ???? ?????????.
- ????????-??? ???????? ??????????? ????? ???, ?? SQL ????? ???? ???? ?? ????? ???? ???? SQL ????? ?? ?????? ?? ??? ???? principle ??? (SPNs) ?? ????????
???????:?? ?? ??????? ??? ????? ?? ??? ??? ?? SQL ????? ?? ?????? ?? ??? ???? SPNs ????? ?????? ???? ?????????? SQL Server ?? ???? ?? ?? ???? ?? ????? ???? ??? ?? ??????? ?? ?????????? ?? ???? ??? ?? ?? ?? ?????????? ??????? SPNs ??????? ??? ????? ?????? - ADSI ?????? ?????-?? ?? ???? ???????
?? ????? ????? ?? ???? ???? ?? ??? SPN ???????? ??? ?? eliminated ??? TCP/IP ????? ?? SQL Server 2005 ?? ?? ??????? ?? ??? ?? SQL Server 2005 ??? ?? ?????? ???????????? ?? ??? ????? ??? ????? ????
??? 4: ??????? ???????? ???????? ????
- ???????? ??????? ?????? ???? ??, ?? ??? ???? ???? ?? Microsoft Internet Explorer Windows ?????????? ?? ????? ???? ?? ??? ???????? ???? ??? ??:
- Internet Explorer ???,????????? ??,??????? ??????.
- ????? ???????????? ?? ????? ????..
- ?? ??????????????, ?? ??? ???? ?? ??? ????? ?????????? Windows ?????????? (???????? ??????) ????? ?????? ????-????? ????, ?? ???? ???OK.
??? 5: ??????? ???????????
???????? ???????? ?? ????? ??:
- ???????? ?? ??? ?? ????, ?? ???? ??? ?????? ???? ?? ???????? ??????? ?? ???? ????? Kerberos ???? ???? ????? ???????? ?? ???? ?? ??? Kerbtray.exe ?? ????? ?????
- ???????? ?? ??? ???? ??????? ?? ??? Kerbtray.exe ?? ????? ?????
- ????? ?? SQL ???? ?? ?? ??? ??? ?? ??? ?????? ????? ?????
???:?????SQLSERVERNAME?? SQL ????? ?? ??? ?? ?? ???????? ?? ???:- ??? ???? ???? ??? ??, ?? ????? ??????? ?????? ????????? ???? ??Negotiate, ?? ?? ?????? ?? ??? SQL ????? ????sp_helpdb????????? ???? ?? ??? ?? ?? ????? ?? ??????? ?? ?? ???? ?? ???? ???? ????? ?? ???????? .ASP ????? ?? ?????? ?? ?????? ???? ?? ????
- ??? ???? ??? ??????? ???? SQL ????? ???, ????????? ??? ??? ?? ??????? ?? ??????? "?????????" ???
SQL ????? ???? ????????????? ?? ??? ASP ??????? ?????????
???? SQL Server ???? ?? ??? ASP ??????? ????????? ??? ??? ?? ?? ??? ????? ?? ????? ????, ?? ????????? ???? ?? ?? ?? ?????
SQLSERVERNAME???????? ?? ??? ?? ??? ?? SQL ????? ?? ??? ???
<%@ Language=VBScript %>
<HTML>
<HEAD>
<META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
</HEAD>
<BODY>
<%="'auth_user' is" & request.servervariables("auth_user")%>
<P>
<%="'auth_type' is" & request.servervariables("auth_type")%>
<P>
Connections string is <B>" Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=SQLSERVERNAME </B>
<P>
<%
set rs = Server.CreateObject("ADODB.Recordset")
set cn = Server.CreateObject("ADODB.Connection")
cn.Open "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=SQLSERVERNAME"
rs.open "MASTER..sp_helpdb",cn
Response.Write cstr(rs.Fields.Count) +"<BR>"
while not rs.EOF
Response.Write cstr(rs(0))+"<BR>"
rs.MoveNext
wend
rs.Close
cn.Close
set rs = nothing ' Frees memory reserved by the recordset.
set cn = nothing ' Frees memory reserved by the connection.
%>
</BODY>
</HTML>
?????? ?????????? ????? principle ??? ?? ??????? ?? ???? ?? ??????? ???? ?? ??? ???? ????
?????? ?????????? ????? ??????? ????????? ??? (SPN) ?? ?? ???? ?? ???????, ?? ???? ????? ?????????? ?? ????? ???? ???? ???? ?? ??? ????
betalandNetBIOS ????? ??? ?? ??
NewoutputUsers.txt?? ?????? ????? ?? ????? ????? ?????? ????? ?? ??? ??? ??? ?? ??? ????? ?? ?? ????? ???? ???? ??, ?? ????? ??????? ??????? ?? ???? ?? ???? ?????? ????? ??? ????? ??? ?? ????? ???? ???? ????? ??????? ??:
LDIFDE -d "CN ??????????, DC = =betaland"-l servicePrincipalName -FNewoutputUsers. txt
?? ???????? NewoutputUsers.txt ??????? ?? ?? ?? ???? ??? "????? ???? ?????? NewouputUsers.txt ??" ??? ??? ?????? ?? ???? ???? ?? ?????? ??? ?? ??? ????? ????? ???
?? ?????? overwhelming ?? ???? ?? ?? ?? ????? ?? ????? ????? ?? ???? ?????, ???? ??????? ?????????? ??? ?? ??? gathered ??????? ?? ????? ???? ?? ??? ????? ???????? ?? ????? ????
?????????? ?? ????????????? ?? ??? ?? ??
betaland?????? ??? ?? ????? ??:
LDIFDE -d "CN =?????????? ?? ???DC =betaland"-l servicePrincipalName -FNewoutputUsers. txt
???? ????? ?????????? ?? ??? ??????? ?? ?? ??????? ?? ?????? ?? ??? ?????? ???? ?? ???? ??? ??? ?? ?? ???? ????? ?? ??? ??????? ????? ????, ????? ??? question ?? ??????? ?????????? ??? ?? ??? ?????? ?????? ????? ??? ?? ?????:
- ???????????? ?? ?? ????? ??, ????? ?? ??????? ???? ?? ?? ???? ??? ?? ?????? ?????????? ????? ?? ??? ???
- "???????????????????? ?? ???"?? ???? ??? ?? ????? ????? SPN ????? ??????? ???
??? ??, ?? ?????? ?????????? ???? ?? ????? ?? ???? ??? ?? ????? ???? ?? ?????? ?????????? ???????????? ?? ??? ???? ?? ??? ??????? (ADSI) ??????
???????:??? ?? ADSI ?????? ?????-?? ?? ????? ????, LDP ??????, ?? ??? ???? LDAP ??????? 3 ???????, ?? ?? ??? ??? ?? ??????? ?????? ?????????? ???????? ?? ????????? ???, ????? ???????? ???? ?? ???? ???? ?? ???????? ?? Microsoft Windows 2000 ?????, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, ?? ????? Windows ?? Exchange ???????????? ???? ??? ???? ??? Microsoft ?? ?????? ???? ?? ?? ??? ?? ??? ??? ?? ?????? ?????????? ???????? ??????? ??????? ?? ?? ?????? ?? ?? ???? ?? ?? ???? ???? ?? ????????? ?? ???? ????? ?? ??????? ?????
NewouputUsers.txt ?? ???? ?????? ?????
dn: CN=User Name,CN=Users,DC=betaland
changetype: add
servicePrincipalName: MSSQLSvc/CLUSTERDEFAULT.betaland:1257
servicePrincipalName: MSSQLSvc/INST3.betaland:3616
servicePrincipalName: MSSQLSvc/INST2.betaland:3490
servicePrincipalName: MSSQLSvc/SQLMAN.betaland:1433
servicePrincipalName: MSSQLSvc/VSS1.betaland:1433
servicePrincipalName: MSSQLSvc/INST1.betaland:2536
servicePrincipalName: MSSQLSvc/INST4.betaland:3967
servicePrincipalName: MSSQLSvc/SQLVIRTUAL1.betaland:1434
servicePrincipalName: MSSQLSvc/SQLVIRTUAL.betaland:1433
servicePrincipalName: MSSQLSvc/SQLBUSTER.betaland:1315
??????? ???? ???????? ?? ???? ??? ???? ??????? ?? ??? SQL Server ???????? ?????? ??? "??????? ???? ????????" ???? ?? ??????
???? ??????? ?? ???, Microsoft ?????? ??? ??? ???? ????? ?? ??? ????? ???? ???????? ????? ????::
262177
(http://support.microsoft.com/kb/262177/
)
???????? ????? ?????? ?? ????? ???? ?? ??? ???? ????
321708
(http://support.microsoft.com/kb/321708/
)
Windows 2000 ??? ??????? ????? ????? (Netdiag.exe) ?? ????? ???? ????
326985
(http://support.microsoft.com/kb/326985/
)
IIS ??? Kerberos ?? ??????? ???????? ?? ?????? ???? ????
244474
(http://support.microsoft.com/kb/244474/
)
???????? ?? Windows Server 2003 ???, Windows XP ???, ?? Windows 2000 ??? UDP ?? ???? TCP ?? ????? ???? ?? ??? ????? ???? ?? ??? ???? ????
Windows Live
Facebook
Twitter
Linkedin
Digg it
Yahoo
Delicious
StumbleUpon
Yammer
Reddit
Technorati
FriendFeed
Email
???? ?????? ????????
????? ?? ???? ????
