1. 首頁
  2. 問答
  3. 與域帳戶創建證書

與域帳戶創建證書

2012-07-11 20 views
0

是否有可能建立在SQL Server 2008的Service Broker與基於 證書認證的支持,並使用域帳戶授權的終點?與域帳戶創建證書

例如

CREATE ENDPOINT ServiceBrokerEndpoint 

AUTHORIZATION [domain\username] 

STATE=STARTED AS TCP (LISTENER_PORT = 4022, LISTENER_IP = ALL) 

FOR SERVICE_BROKER (MESSAGE_FORWARDING = DISABLED, MESSAGE_FORWARD_SIZE = 10, AUTHENTICATION = CERTIFICATE [CertificateName], ENCRYPTION = SUPPORTED ALGORITHM RC4)

來源

2012-07-11 Gaurav

+0

在端點上的授權條款只規定誰是對象的所有者。它在實際服務代理安全沒有暗示 – 2012-07-11 17:39:01

+0

感謝回覆(比憑藉作爲對象的所有者授予自動CONNECT權限爲[域\用戶]副作用其他)。是否可以創建一個服務代理安裝程序,其中發佈者端同時具有基於窗口和基於證書的身份驗證,而訂閱者僅具有基於Windows的身份驗證。我想如上所述設置服務代理的原因是因爲我們有證書的現有設置,並希望將更多客戶端與基於Windows的身份驗證集成。 – Gaurav 2012-07-12 10:20:04

+1

是的,有可能。服務代理驗證支持混合模式,只需指定* *兩模式:'FOR SERVICE_BROKER(AUTHENTICATION = Windows證書[certname])'。如果像這樣設置,它將使用Windows與其他端點只支持Windows和證書與其他端點只支持證書。順便說一句,這也適用於MIRRORING端點。 – 2012-07-12 11:39:50

回答

2

試試這個

------------------------------------- 
-- connect to server 
------------------------------------- 
use master; 
go 
create master key encryption by password = '...'; 
create certificate [<servername>] 
    with subject = '<servername>' 
    , start_date = '20100216' 
    , expiry_date = '20150216'; 

create endpoint broker 
state = started 
as tcp (listenner_port = 4022) 
for service_broker (authentication = certificate [<servername>]); 

-- Export the public key to disk 
backup certificate [<servername>] 
to file = '\\someshare\<servername>.cer'; 

-------------------------------- 
-- connect to client 
-------------------------------- 
use master; 
go 
create master key encryption by password = '...'; 
create certificate [<clientname>] 
    with subject = '<clientname>' 
    , start_date = '20100216' 
    , expiry_date = '20150216'; 

create endpoint broker 
state = started 
as tcp (listenner_port = 4022) 
for service_broker (authentication = certificate [<clientname>]); 

-- Export the public key to disk 
backup certificate [<clientname>] 
to file = '\\someshare\<clientname>.cer'; 

--create an identity for server and import the server's certificate: 
create login [<servername>] with password = '...'; 
alter login [<servername>] disable; 
create user [<servername>]; 

create certificate [<servername>] 
    authorization [<servername>] 
    from file = '\\someshare\<servername>.cer'; 

--authorize <servername> to connect on the broker endpoint 
grant connect on endpoint::broker to [<servername>]; 

--------------------------------------- 
-- connect to the server 
--------------------------------------- 

--create an identity for client and import the client's certificate: 
create login [<clientname>] with password = '...'; 
alter login [<clientname>] disable; 
create user [<clientname>]; 

create certificate [<clientname>] 
    authorization [<clientname>] 
    from file = '\\someshare\<clientname>.cer'; 

--authorize <clientname> to connect on the broker endpoint 
grant connect on endpoint::broker to [<clientname>];

來源

2012-07-11 12:29:35 Asif

+0

感謝您的答覆。是否可以創建一個服務代理安裝程序,其中發佈者端同時具有基於窗口和基於證書的身份驗證,而訂閱者僅具有基於Windows的身份驗證。我爲什麼要設置服務代理作爲上述的原因是因爲我們現有的使用證書的設置,並希望更多的客戶提供基於身份驗證Windows集成。 – Gaurav 2012-07-12 10:20:17

相關問題

 相關問題