问题
When running an ASP.Net website on IIS I can specify the Active Directory (AD) username that the website runs in the context of in the App Pool settings. I can then create a connection string with Integrated Security = true to access my database. It's then possible to secure DB resources based on that AD user.
Is this possible in Windows Azure when connecting a Web Site to a VM hosting an SQL database?
Firstly it does not seem possible to specify the virtual network of the Web Site so I am not sure how to specify the connection string. I'm hoping I don't need to expose the SQL Server's port (1433) to the outside world so only the website can make access to it.
Secondly, I can't see how to specify the user context of the Website so that this can be passed to the SQL Server. I am aware that Azure has an Active Directory but I don't see any options in the Azure Portal to run a Web Site as a specific user.
回答1:
To answer the first part of your question, you can connect your Azure Web App to a virtual network only in the preview portal. If you go to the very bottom of the main properties "blade" for the web app, there's a "Networking" section that will allow you to select the vnet.
The second part - I don't believe there's a way to do that, due to the lack of control over the application pool settings for Azure Web Apps.
Each app in Web Apps runs as a random unique low-privileged worker process identity called the "application pool identity", described further here: http://www.iis.net/learn/manage/configuring-security/application-pool-identities.
(from: http://azure.microsoft.com/en-us/documentation/articles/web-sites-available-operating-system-functionality/)
Sql authentication will work in this scenario.
And if you have the website hosted outside of Azure, it's definitely possible - we have a TFS build server that's hosted locally using windows authentication to publish database project builds to a SQL Server VM in Azure over a vnet.
来源:https://stackoverflow.com/questions/30078663/sql-server-integrated-security-from-an-azure-web-site