我在基于令牌的数据库身份验证工作时遇到问题。使用 Active Directory 密码连接可以正常工作,但是当使用令牌连接时,我收到以下错误:
用户“NT AUTHORITY\ANONYMOUS LOGON”登录失败。
这个问题已经讨论过了在 Stack Overflow 上 https://stackoverflow.com/questions/47506897/sql-aad-token-based-authentication-login-failed-for-user-nt-authority-anonymo and 在 MSDN 上 https://social.msdn.microsoft.com/Forums/vstudio/en-US/650cd289-ec7c-4108-a608-6476c4e97291/connecting-to-azure-sql-using-aad-access-token?forum=ssdsgetstarted,但没有可用的解决方案。这篇博文 https://blogs.msdn.microsoft.com/sqlsecurity/2015/09/28/examples-of-some-connection-errors-for-azure-active-directory-authentication/表明用户权限有问题,但相当模糊。
配置
获取token成功,方法如下:
static async Task<string> GetAccessToken()
{
var certificateSDN = "redacted";
var tenantId = "redacted";
var clientId = "redacted";
var resource = "https://database.windows.net";
X509Certificate2 certificate;
using (var certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
certificateStore.Open(OpenFlags.ReadOnly);
certificate = certificateStore.Certificates
.Find(X509FindType.FindBySubjectDistinguishedName, certificateSDN, false)
[0];
}
var authenticationContext = new AuthenticationContext($"https://login.microsoftonline.com/{tenantId}");
var clientAssertionCertificate = new ClientAssertionCertificate(clientId, certificate);
var authenticationResult = await authenticationContext.AcquireTokenAsync(resource, clientAssertionCertificate);
return authenticationResult.AccessToken;
}
连接到数据库是这样完成的:
var connectionStringBuilder = new SqlConnectionStringBuilder()
{
DataSource = "redacted.database.windows.net",
InitialCatalog = "redacted",
};
using (var sqlConnection = new SqlConnection(connectionStringBuilder.ConnectionString))
{
sqlConnection.AccessToken = accessToken;
sqlConnection.Open();
}
调用时出现错误sqlConnection.Open()
.
The clientId
与应用程序注册的应用程序 ID 匹配。我在数据库中创建了一个用户,与应用程序注册的名称匹配,并使用以下查询:
create user [redacted] from external provider
go
exec sp_addrolemember N'db_datareader', N'redacted'
exec sp_addrolemember N'db_datawriter', N'redacted'
诊断
通过以下查询,我检查用户是否具有角色并有权连接到数据库:
declare @user nvarchar(max);
set @user = 'redacted'
select
u.name
,r.name
from
sys.database_role_members as m
inner join sys.database_principals as r on m.role_principal_id = r.principal_id
inner join sys.database_principals as u on u.principal_id = m.member_principal_id
where
u.name = @user;
select
class_desc
,major_id
,permission_name
,state_desc
from
sys.database_permissions
where
grantee_principal_id = user_id(@user);
这是输出:
redacted db_datareader
redacted db_datawriter
DATABASE 0 CONNECT GRANT
尝试使用虚假令牌连接会出现相同的错误。所以我不知道是我的token有问题,还是数据库配置有问题。我还可以执行哪些其他诊断来找出此问题的原因?