6

我们正在使用 pstrami 运行部署脚本。部署的一部分是执行数据库迁移。迁移使用具有集成安全性的连接字符串。

当脚本在远程计算机上执行时,迁移失败并出现 sql 错误,提示用户“NT AUTHORITY\ANONYMOUS LOGON”登录失败

执行脚本的人是域管理员。我们运行的其他部署与启动该过程的用户一起执行远程脚本。

4

3 回答 3

16

问题是凭据没有跳到 SQL Server 以实现集成安全性。您需要执行以下操作:

在服务器上(正在建立 SQL Server 连接的服务器,以管理员身份运行:

Enable-WSManCredSSP -Role server

在客户端计算机上,以管理员身份运行:

Enable-WSManCredSSP -Role client -DelegateComputer YOUR_SERVER_NAME

要将其对所有服务器开放,您可以运行:

Enable-WSManCredSSP -Role client -DelegateComputer *

最后,您的调用命令确保您运行 -authentication credssp。一个例子:

invoke-command -computername $remoteServer -authentication credssp -scriptblock { write-host "hello!" } -credential $credentials
于 2013-02-08T20:10:36.167 回答
2

This is the scenario:
You run the pstrami(deployment) script from desktopA. The script pushes your installation files to serverA. Then on serverA the scripts are run remotely as the person inititating the script from desktopA. One of the steps is to run a sql database upate with fluentmigrator using a connection string paramter using "integrated security" and the database is on serverB.

Connection string example:

$migration_db_connection = Data Source=serverB;Initial Catalog=PropertyDb;Integrated Security=SSPI; 
.\migrate.exe /conn "$migration_db_connection" /db SqlServer /a $migration_assembly /profile DEBUG

Pstrami uses the powershell command invoke-command which uses the account you are running the script under as the default user. So, what happens is that when you run the script from desktopA as "jonDoe" it then authenticates on serverA. So your pstrami scripts run under "jonDoe" on serverA. When you execute the fluentmigrator script on serverA as "jonDoe", fluentmigrator returns an error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. In IIS, you run into an interesting situation when you need to access another resource off of the IIS server and certain fairly common situations occur. When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a Windows security measure kicks in and doesn't allow your site to access resources on any network servers. (http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx)

This is how I got around the Windows Authentication and the Double Hop problem I ran into. Run your migration scripts directly on your sql database server and include it as a server target in your pstrami environments.

Example:

Environment "dev" -servers @(
    Server "serverA" @("InstallWeb") 
    Server "serverB" @("RunMigrations")
    ) 

More on Double Hop

于 2012-08-27T20:39:42.757 回答
0

我无法评论您的问题并将其发布为答案。我稍后会更新。

这可能是由于 SQL Server 没有您的 Windows 登录帐户的登录帐户。如果这是问题,请将登录用户添加到远程计算机中的 SQL Server。

如果这已经解决,那么您可以选择在 SQL Server 以及您正在使用的特定数据库上将权限作为 DB_Owner 授予“NT AUTHORITY\ANONYMOUS LOGON”。

于 2012-06-04T11:44:40.937 回答