douliang4858
2010-04-22 06:35
浏览 72
已采纳

连接到需要通过代理进行Windows身份验证的防火墙MS-SQL服务器?

So I need to connect to a mssql server via Windows Authentication from a Unix server. Here are the obstacles:

  1. The db admin created a service account but made it Windows-Auth only, meaning I can't pass the username and password directly to the server to connect.

  2. The admin also added my host's server to the firewall so that it would only accept requests from my host machine.

  3. My host server has mssql enabled via freetds/sybase-dblib, but has the default 'secure-connections: Off' still set.

  4. I have a similar set up on my personal machine, but with secure-connections on, but I can't connect that way since I'm firewalled.

So I'm wondering if it's possible to set up a proxy of sorts on my host so that I can start the connection on my personal machine using my local freeTDS library, but have the request pass to the host which would (in my dream world) not require secure connections to be on but simply would pass the request along so that it came from my non-firewalled host but using the correct authentication method.

If anyone is not familiar with how Windows-Authentication works, it's a type of Kerberos authentication where the client machine makes the request to the remote server so that credentials are never actually sent (and thus can't be compromised by a man-in-the-middle). So I'm very doubtful that this can be done, since at some level my host machine has to do the actual work. But i thought I'd ask since I'm not totally clear on the deeper mechanics and because I really want to get this to happen.

I guess another way of looking at it is I want to use my host as a kind of VPN.

Also, I am working with my host admins to find a more long-term solution but I need to see the database as soon as possible so I can have something working when the problem gets fixed.

图片转代码服务由CSDN问答提供 功能建议

所以我需要从Unix服务器通过Windows身份验证连接到mssql服务器。 以下是障碍:

  1. 数据库管理员创建了一个服务帐户,但只使用了Windows-Auth,这意味着我无法直接传递用户名和密码 管理员还将我的主机服务器添加到防火墙,以便它只接受来自我的主机的请求。

  2. 我的主机服务器通过freetds / sybase-dblib启用了mssql,但默认设置为“secure-connections:Off”。

  3. 我的个人计算机上有类似的设置,但是安装了连接,但由于我已经防火墙,我无法连接。 \ n

    所以我想知道是否可以在我的主机上设置各种代理,以便我可以使用我的本地freeTDS库在我的个人计算机上启动连接,但请求传递给主机 将(在我的梦想世界中)不需要安全连接,但只是将请求传递给我,以便它来自我的非防火墙主机,但使用 正确的身份验证方法。

    如果有人不熟悉Windows身份验证的工作原理,那么它就是一种Kerberos身份验证,其中客户端计算机向远程服务器发出请求,因此凭据永远不会 发送(因此不能被中间人妥协)。 所以我很怀疑这可以做到,因为在某种程度上我的主机必须做实际的工作。 但我想我会问,因为我不太清楚更深层的机制,因为我真的想让这件事发生。

    我想另一种看待它的方式是我 我希望将我的主机用作一种VPN。

    此外,我正在与我的主机管理员一起寻找更长期的解决方案,但我需要尽快看到数据库 所以当问题得到解决时我可以有所作为。

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • duanhuangyun3887 2010-04-22 07:24
    已采纳

    Why don't you try SSH port forwarding? Ie. you connect to your host server, and tell it to forward a local port to the sql server. Then you connect on your local machine using localhost:port and your connection will be tunneled over ssh through your host server.

    If your local machine is a Windows machine then just download PuTTY and follow these instructions to set up port forwarding : http://www.cs.uu.nl/technical/services/ssh/putty/puttyfw.html.

    The question is of course whether your Windows credentials will be passed, but in theory this should work :p.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题