如何:設定匿名對話安全性的起始服務 (Transact-SQL)
對於存在遠端服務繫結的服務,SQL Server 會對任何與該服務的交談使用對話安全性。如果裝載目標服務的資料庫不包含與建立對話之使用者對應的使用者,對話會使用匿名安全性。
安全性注意事項 |
---|
僅安裝來自受信任來源的憑證。 |
若要確定起始服務使用對話安全性
從受信任的來源取得遠端資料庫中使用者的憑證。
建立不含登入的使用者。
安裝遠端服務的憑證。在步驟 3 中建立的使用者擁有該憑證。根據預設,憑證可用於 BEGIN DIALOG。
建立可指定使用者和目標服務的遠端服務繫結。對於匿名對話安全性,遠端服務繫結會指定 ANONYMOUS = ON。
範例
此範例會為在目前執行個體中之名為 OrderParts 的服務和遠端執行個體中之名為 SupplierOrders 的服務之間進行的交談,設定匿名對話安全性。
USE AdventureWorks ;
GO
-- Given a certificate for a remote user for the remote service
-- SupplierOrders, create a remote service binding for
-- the service. The remote user will be granted permission
-- to send messages to the local service OrderParts.
-- This example assumes that the certificate for the service
-- is saved in the file'C:\Certificates\SupplierOrders.cer' and that
-- the initiating service already exists.
-- Create a user without a login.
CREATE USER [SupplierOrdersUser]
WITHOUT LOGIN ;
GO
-- Install a certificate for the owner of the service
-- in the remote database. The certificate is
-- provided by the owner of the remote service. The
-- user for the remote service owns the certificate.
CREATE CERTIFICATE [SupplierOrdersCertificate]
AUTHORIZATION [SupplierOrdersUser]
FROM FILE='C:\Certificates\SupplierOrders.cer' ;
GO
-- Create the remote service binding. Notice
-- that the user specified in the binding
-- does not own the binding itself.
-- Creating this binding specifies that messages from
-- this database are secured using the certificate for
-- the [SupplierOrdersUser] user.
-- Since anonymous is ON, the credentials for the user
-- that begins the conversation are not used for the
-- conversation.
CREATE REMOTE SERVICE BINDING [SupplierOrdersBinding]
TO SERVICE 'SupplierOrders'
WITH USER = [SupplierOrdersUser],
ANONYMOUS = ON ;
GO