我正在尝试连接到企业网络上的Microsoft SQL Server数据库,该数据库仅限于Windows身份验证。我已经配置了Kerberos, Kerberos确实成功地发出了一个票据,我可以在票据查看器中验证该票据是否有效。但是当我尝试在Azure Data Studio中连接,并选择"Windows身份验证"时,我得到的消息是"由于Kerberos错误,连接失败"。
我的krb5.conf位于~/etc/krb5.conf,我遵循了这里的配置说明。
在连接到网络的Windows机器上,当我运行setspn -L DATABASENAME时,显示:
Registered ServicePrincipalNames for CN=DATABASENAME,OU=Servers,OU=Data Center,DC=companyname,DC=com:
MSServerClusterMgmtAPI/DATABASENAME
MSServerClusterMgmtAPI/DATABASENAME.companyname.com
WSMAN/DATABASENAME
WSMAN/DATABASENAME.companyname.com
TERMSRV/DATABASENAME
TERMSRV/DATABASENAME.companyname.com
RestrictedKrbHost/DATABASENAME
HOST/DATABASENAME
RestrictedKrbHost/DATABASENAME.companyname.com
HOST/DATABASENAME.companyname.com
当我运行nslookup -type=srv _kerberos._tcp.companyname.com时,显示:
Server: UnKnown
Address: xx.x.x.163
Non-authoritative answer:
_kerberos._tcp.companyname.com SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = dcname01.companyname.com
_kerberos._tcp.companyname.com SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = dcname02.companyname.com
_kerberos._tcp.companyname.com SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = dcname03.companyname.com
_kerberos._tcp.companyname.com SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = dcname04.companyname.com
dcname01.comapnyname.com internet address = xx.x.x.47
dcname02.companyname.com internet address = xx.x.x.8
dcname03.companyname.com internet address = xx.xx.x.11
dcname04.companyname.com internet address = xx.xx.x.10
我配置krb5.conf文件的方式是:
[libdefaults]
default_realm = COMPANYNAME.COM
[realms]
COMPANYNAME.COM = {
kdc = dcname01.companyname.com
kdc = dcname02.companyname.com
kdc = dcname03.companyname.com
kdc = dcname04.companyname.com
}
我已经为krb5.conf尝试了许多不同的配置,包括不同格式的不同k/v对的包含和省略,但我所尝试的都没有成功。我也尝试过通过自制重新安装krb5。
我使用的是英特尔Mac电脑在macOS 12.3.1.
是什么导致Azure Data Studio不承认我的Kerberos票据?
您需要添加主机文件服务器的IP地址和服务器的全名(带有域,例如"sqlserver.yourdomain.com")