如何确定身份验证类型是否为 Kerberos

本文提供分步说明，帮助你确定连接到 Microsoft SQL Server 时使用的身份验证类型。 请确保在客户端计算机上运行步骤，而不是在安装了要测试的 SQL Server 实例的服务器上运行这些步骤。 否则，即使正确配置了 Kerberos，输出中的 auth_scheme 值也始终为 NTLM。 之所以发生这种情况，是因为在 Windows 2008 中添加了每服务 SID 安全强化功能。 无论 Kerberos 是否可用，此功能都会强制所有本地连接使用 NTLM。

使用 SQL Server Management Studio

1. 打开 SQL Server Management Studio 并连接到 SQL Server 实例。

2. 运行以下查询：

   SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID
   

3. 或者，若要检索其他连接详细信息，请运行以下查询：

   SELECT c.session_id, c.net_transport, c.encrypt_option,
          c.auth_scheme, s.host_name, @@SERVERNAME AS "remote_name",
          s.program_name, s.client_interface_name, s.login_name,
          s.nt_domain, s.nt_user_name, s.original_login_name,
          c.connect_time, s.login_time
   FROM sys.dm_exec_connections AS c
   JOIN sys.dm_exec_sessions AS s ON c.session_id = s.session_id
   WHERE c.session_id = @@SPID
   

4. 查看结果中的 auth_scheme 列以确定身份验证类型。

使用命令行

1. 打开命令提示符。

2. 运行以下命令，将 <ServerName> 替换为您的服务器名称：

   sqlcmd -S <ServerName> -E -Q "SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID"
   

3. 类似于以下输出的结果将指示身份验证类型：

   auth_scheme
   ----------------------------------------
   NTLM
   
   (1 rows affected)
   

使用 VBScript

1. 将以下 VBScript 代码复制到文本编辑器（如记事本）中，并将其另存为 getAuthScheme.vbs：

   ' Auth scheme VB script.
   ' Run on a client machine, not the server.
   ' If you run locally, you will always get NTLM even if Kerberos is properly enabled.
   '
   ' USAGE:  CSCRIPT getAuthScheme.vbs tcp:SQLProd01.contoso.com,1433   ' explicitly specify DNS suffix, protocol, and port # ('tcp' must be lower case)
   ' USAGE:  CSCRIPT getAuthScheme.vbs SQLProd01                        ' let the driver figure out the DNS suffix, protocol, and port #
   '
   Dim cn, rs, s
   s = WScript.Arguments.Item(0)              ' get the server name from the command-line
   Set cn = createobject("adodb.connection")
   '
   ' Various connection strings depending on the driver/Provider installed on your machine
   ' SQLOLEDB is selected as it is on all windows machines, but may have limitations, such as lack of TLS 1.2 support
   ' Choose a newer provider or driver if you have it installed.
   '
   cn.open "Provider=SQLOLEDB;Data Source=" & s & ";Initial Catalog=master;Integrated Security=SSPI"          ' On all Windows machines
   'cn.open "Provider=SQLNCLI11;Data Source=" & s & ";Initial Catalog=master;Integrated Security=SSPI"        ' Newer
   'cn.open "Provider=MSOLEDBSQL;Data Source=" & s & ";Initial Catalog=master;Integrated Security=SSPI"       ' Latest, good for SQL 2012 and newer
   'cn.open "Driver={ODBC Driver 17 for SQL Server};Server=" & s & ";Database=master;Trusted_Connection=Yes"  ' Latest
   '
   ' Run the query and display the results
   '
   set rs = cn.Execute("SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID")
   WScript.Echo "Auth scheme: " & rs(0)
   rs.close
   cn.close
   

2. 在命令提示符中运行以下命令，并将 <ServerName> 替换为您的服务器名称：

   cscript getAuthScheme.vbs <ServerName>
   

3. 类似于以下输出的结果将指示身份验证类型：

   Microsoft (R) Windows Script Host Version 5.812
   Copyright (C) Microsoft Corporation. All rights reserved.
   Auth scheme: NTLM
   

使用 Windows PowerShell

可以使用 Windows PowerShell 测试 SqlClient .NET 提供程序，以尝试将问题与应用程序隔离开来：

1. 将以下 PowerShell 脚本复制到文本编辑器（如记事本）中，并将其另存为 get-SqlAuthScheme.ps1。

   #-------------------------------
   #
   # get-SqlAuthScheme.ps1
   #
   # PowerShell script to test a System.Data.SqlClient database connection
   #
   # USAGE: 
   #   .\get-SqlAuthScheme tcp:SQLProd01.contoso.com,1433   # Explicitly specify DNS suffix, protocol, and port ('tcp' must be lowercase)
   #   .\get-SqlAuthScheme SQLProd01                        # Let the driver figure out the DNS suffix, protocol, and port
   #
   #-------------------------------
   # Define a parameter for the server name, defaulting to "localhost" if not provided
   param ([string]$server = "localhost")
   
   # Set the execution policy for the current user to Unrestricted
   Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force
   
   # Build the connection string for the SQL Server connection
   $connstr = "Server=$($server);Database=master;Integrated Security=SSPI"
   
   # Create a new SQL connection object
   $conn = New-Object System.Data.SqlClient.SqlConnection
   $conn.ConnectionString = $connstr
   
   # Record the start time of the operation
   $start = Get-Date
   
   # Open the SQL connection
   $conn.Open()
   
   # Create a new SQL command object
   $cmd = $conn.CreateCommand()
   $cmd.CommandText = "SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID" # Query to get the authentication scheme
   
   # Execute the query and retrieve the result
   $dr = $cmd.ExecuteReader()
   $dr.Read() | Out-Null # Read the first row of the result set
   $auth_scheme = $dr.GetString(0) # Get the authentication scheme from the first column
   
   # Close and dispose of the SQL connection
   $conn.Close()
   $conn.Dispose()
   
   # Record the end time of the operation
   $end = Get-Date
   
   # Calculate the elapsed time
   $span = $end - $start
   
   # Output the results
   Write-Output "Elapsed time was $($span.TotalMilliseconds) ms."    # Display the elapsed time in milliseconds
   Write-Output "Auth scheme for $($server): $auth_scheme"   # Display the authentication scheme for the server
   

2. 打开 Windows PowerShell，导航到包含脚本的文件夹，然后运行以下命令：

   .\get-sqlauthscheme <ServerName>  # Replace "<ServerName>" with your server name.
   

3. 类似于以下输出的结果将指示身份验证类型：

   Elapsed time was 0 ms.
   Auth scheme for <ServerName>: NTLM
   

详细信息

• SQL Server 中的一致身份验证问题