我有一个WPF应用程序需要访问一个SQL Server 2008 R2的数据库。该数据库使用Active Directory担保。该应用程序在连接到域，并在用户已经成功地登录工作站运行正常。

I have a WPF application that requires access to an SQL Server 2008 R2 database. The database is secured using active directory. The application runs fine on workstations that are connected to the domain and where the user has succesfully logged on.

我现在需要能够运行上连接到一个不同的域的工作站相同的应用程序。不幸的是，这个新的域名是由SBS控制的，因此我无法在它们之间建立信任关系。

I now need to be able to run the same application on workstations connected to a different domain. Unfortunately, this new domain is controlled by SBS and as such I cannot set up a trust relationship between them.

实际上，我（想我）需要的是一个工具，允许用户连接到数据库时输入已经设置了托管数据库服务器（用户名和密码）域凭据，然后冒充该用户服务器。

Effectively, what I (think I) need is a facility to allow a user to enter credentials that have been set up on the domain hosting the database server (user name and password) and then impersonate that user when connecting to the database server.

我曾尝试使用LogonUser的，LOGON32_PROVIDER_DEFAULT和放大器的微软样品; LOGON32_LOGON_INTERACTIVE但是这似乎并没有做我想做的 - 而不是抱怨，我不能，因为我使用没有域帐户的工作站登录

I have tried the Microsoft sample using LogonUser, LOGON32_PROVIDER_DEFAULT & LOGON32_LOGON_INTERACTIVE but this does not seem to do what I want - instead complaining that I cannot log on as the workstation I am using does not have a domain account.

没有任何人有任何其他建议？

Does anybody have any alternative suggestions?

推荐答案

与您当前的设置

The database is secured using active directory

我假设你的意思是你的SQL连接使用Windows身份验证。无论哪种方式，有一点事情也许比你认识。如果你使用的认证身份的活动目录，我敢打赌你依靠的Kerberos 以Windows身份验证（它不只是你的身份验证类型，也是你的凭据类型）。我已经联系在一起的文章解释了SQL Server 2005的Kerberos和NTLM之间的区别，但它同样为2008 R2。

I assume you mean that your SQL connection is using Windows authentication. Either way, there's a little more going on than perhaps you realize. If you're using the "active directory" for authentication identities, I'd bet you're relying on Kerberos for Windows authentication (it's not just your authentication type, but also your credential type). The article I've linked explains the difference between Kerberos and NTLM for SQL Server 2005, but it's the same for 2008 R2.

不幸的是，没有域之间的信任关系，这并不重要，如果你成功地模拟在数据库所在的域用户，您将无法连接（如你正在见证）。 您需要这种信任关系

Unfortunately, without the trust relationship between the domains, it does not matter if you successfully impersonate a user in the domain hosting the database, you will not be able to connect (as you're witnessing). You need that trust relationship.

如果你设法建立域之间的信任关系，我已为如何实现跨域Windows身份验证使用域组SQL Server的here,这可能对你有用。

If you do manage to establish a trust relationship between the domains, I've posted how to accomplish cross-domain Windows authentication for SQL Server using domain groups here, which may be useful to you.

另外一套UP

如果你不想使用SQL身份验证（我不喜欢包装凭证与我的应用程序），我鼓励你到你的数据库操作分离成一个更面向服务的架构。因此，正在做实际的SQL工作将进入一个 WCF 服务（即托管在同一个域中的数据库，并冒充该服务标识）和应用程序将简单地征求服务。然后你可以使用NTLM来保护您的网络服务仍然使用Windows身份验证。通过这种方式，你仍然可以验证谁是拉客的用户，并依靠自己的基本的安全结构（即简单的表格）授权的使用。

If you don't want to use SQL authentication (I don't like packaging credentials with my applications), I encourage you to separate your database operations into a more service oriented architecture. So the actual SQL work being done would go into a WCF service (that is hosted in the same domain as your database and impersonates the service identity) and your application would simply solicit the service. Then you can use NTLM to secure your web service to still use Windows authentication. This way, you can still verify who the soliciting user is, and rely on your own basic security structures (i.e. simple tables) to authorize usage.

让我知道，如果这没有意义的你，或者如果你需要进一步澄清。

Let me know if this doesn't make sense to you or if you need further clarification.