1

I performed an installation of Master Data Services on a new SQL Server (Windows 2012 Standard with SQL Server 2014, Enterprise Edition). Initially I used a non-personal AD account during the installation (same for the DB and the web-application), but when then attempting to navigate to localhost/mds, I'd end up on an "unauthorized" page.

I uninstalled MDS, dropped the webapp and database, and reinstalled using my own credentials. No dice.

Searching revealed I needed to ensure that Windows Authentication was enabled for the server as well as the MDS application. I also disabled Anonymous authentication.

Server:

Server authentication

MDS app:

MDS authentication

I also ensured that NTLM was the first provider available, both on server and app level:

Providers

I even assigned my user permission to the path where the MDS app is running (C:\Program Files\Microsoft SQL Server\120\Master Data Services\WebApplication), as well as on the config.web file in that folder.

Obviously IIS has Windows Authentication installed:

enter image description here

I've kind of reached the end of knowing what to do. I'm no IIS expert, and the only error info is literally "Unauthorized". The IIS log is not very helpful either:

2015-07-06 14:19:33 ::1 GET /MDS/ - 80 - ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 401 2 5 304
2015-07-06 14:19:33 ::1 GET /MDS/ - 80 <account_name> ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 302 0 0 927
2015-07-06 14:19:33 ::1 GET /MDS/Unauthorized.aspx - 80 <account_name> ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 10
2015-07-06 14:21:03 ::1 GET /MDS/ - 80 <account_name> ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 302 0 0 173
2015-07-06 14:21:03 ::1 GET /MDS/Unauthorized.aspx - 80 <account_name> ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 2

I also made sure every role and feature from this list has been configured and installed.

Is there any way for me to get my hands on more information somehow? "Access is denied" doesn't give me much to work with, and the IIS log is also not very helpful.

I'm not IIS expert, and am guessing that's where the issue actually is, I'd just not know where to look.

And info would be greatly appreciated.

Thanks!

4

1 回答 1

1

事实证明,MDS 在我的 AD 用户名之后以某种方式附加了一个“$”。所以SchmitzIT不知何故变成了 SchmitzIT$

我们在深入研究mdm.tbluser表格时发现这是问题所在。其中包含的 sid 与 sys.syslogins 中的 SID 不同。

如果要验证用户是否正确,请使用以下代码段:

SELECT 'S-1-5-21-' 
+CAST(CAST(CAST(REVERSE(CONVERT(binary(4),'0x'+sys.fn_varbintohexsubstring(0,sid,13,4),1)) as varbinary(4)) as bigint) as varchar(10)) 
+'-'+CAST(CAST(CAST(REVERSE(CONVERT(binary(4),'0x'+sys.fn_varbintohexsubstring(0,sid,17,4),1)) as varbinary(4)) as bigint) as varchar(10)) 
+'-'+CAST(CAST(CAST(REVERSE(CONVERT(binary(4),'0x'+sys.fn_varbintohexsubstring(0,sid,21,4),1)) as varbinary(4)) as bigint) as varchar(10)) 
+'-'+CAST(CAST(CAST(REVERSE(CONVERT(binary(4),'0x'+sys.fn_varbintohexsubstring(0,sid,25,4),1)) as varbinary(4)) as bigint) as varchar(10)) 
, *
FROM sys.syslogins

然后,我们从 sys.syslogins 中为我的用户帐户获取正确的值,并手动更改 mdm.tblUser 表以反映正确的 sid 和用户名。

于 2015-07-09T12:06:29.307 回答