如何判斷驗證類型是否為 Kerberos

本文提供查詢，可協助您判斷連線到 SQL Server Microsoft時所使用的驗證類型。 請確定您在用戶端電腦上執行查詢，而不是在您測試的 SQL Server 上。 否則，即使 Kerberos 已正確設定，查詢仍會傳回 auth_scheme 為 NTLM 。 這是因為 Windows 2008 中新增的個別服務 SID 安全性強化功能。 不論 Kerberos 是否可用，此功能都會強制所有本機連線使用 NTLM。

 SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id=@@SPID

使用 SQL Server Management Studio

在 SQL Server Management Studio 中執行以下查詢：

SELECT c.session_id, c.net_transport, c.encrypt_option,
       c.auth_scheme, s.host_name, @@SERVERNAME as "remote_name",
       s.program_name, s.client_interface_name, s.login_name,
       s.nt_domain, s.nt_user_name, s.original_login_name,
       c.connect_time, s.login_time
FROM sys.dm_exec_connections AS c
JOIN sys.dm_exec_sessions AS s ON c.session_id = s.session_id
WHERE c.session_id=@@SPID

使用命令列

在命令提示字元中執行下列查詢：

C:\Temp>sqlcmd -S SQLProd01 -E -Q "select auth_scheme from sys.dm_exec_connections where session_id=@@SPID"
auth_scheme
----------------------------------------
NTLM

(1 rows affected)

替代方法

如果上述任一選項無法使用，請考慮使用下列替代程式：

1. 將下列腳本複製到文本編輯器，例如記事本，並將它儲存為 getAuthScheme.vbs：

   ' Auth scheme VB script.
   ' Run on a client machine, not the server.
   ' If you run locally, you will always get NTLM even if Kerberos is properly enabled.
   '
   ' USAGE:  CSCRIPT getAuthScheme.vbs tcp:SQLProd01.contoso.com,1433   ' explicitly specify DNS suffix, protocol, and port # ('tcp' must be lower case)
   ' USAGE:  CSCRIPT getAuthScheme.vbs SQLProd01                        ' let the driver figure out the DNS suffix, protocol, and port #
   '
   Dim cn, rs, s
   s = WScript.Arguments.Item(0)              ' get the server name from the command-line
   Set cn = createobject("adodb.connection")
   '
   ' Various connection strings depending on the driver/Provider installed on your machine
   ' SQLOLEDB is selected as it is on all windows machines, but may have limitations, such as lack of TLS 1.2 support
   ' Choose a newer provider or driver if you have it installed.
   '
   cn.open "Provider=SQLOLEDB;Data Source=" & s & ";Initial Catalog=master;Integrated Security=SSPI"          ' On all Windows machines
   'cn.open "Provider=SQLNCLI11;Data Source=" & s & ";Initial Catalog=master;Integrated Security=SSPI"        ' Newer
   'cn.open "Provider=MSOLEDBSQL;Data Source=" & s & ";Initial Catalog=master;Integrated Security=SSPI"       ' Latest, good for SQL 2012 and newer
   'cn.open "Driver={ODBC Driver 17 for SQL Server};Server=" & s & ";Database=master;Trusted_Connection=Yes"  ' Latest
   '
   ' Run the query and display the results
   '
   set rs = cn.Execute("select auth_scheme from sys.dm_exec_connections where session_id=@@SPID")
   WScript.Echo "Auth scheme: " & rs(0)
   rs.close
   cn.close
   

2. 在命令提示字元中 執行 getAuthScheme.vbs PowerShell 腳本：

   C:\Temp>cscript getAuthScheme.vbs SQLProd01
   

   您應該會看見下列輸出：

   Microsoft (R) Windows Script Host Version 5.812
   Copyright (C) Microsoft Corporation. All rights reserved.
   Auth scheme: NTLM
   

使用 PowerShell

您可以使用 PowerShell 來測試 SqlClient .NET 提供者，以嘗試將問題與應用程式隔離：

1. 將下列腳本複製到文本編輯器，例如記事本，並將它儲存為 get-SqlAuthScheme.ps1。

2. 在命令提示字元中執行下列文稿：

   #-------------------------------
   #
   # get-SqlAuthScheme.ps1
   #
   # PowerShell script to test a System.Data.SqlClient database connection
   #
   # USAGE: .\get-SqlAuthScheme tcp:SQLProd01.contoso.com,1433   ' explicitly specify DNS suffix,  protocol, and port # ('tcp' must be lower case)
   # USAGE: .\get-SqlAuthScheme SQLProd01                        ' let the driver figure out the DNS suffix, protocol, and port #
   #
   #-------------------------------
   param ([string]$server = "localhost")
   Set-ExecutionPolicy Unrestricted-Scope CurrentUser
   $connstr = "Server=$server;Database=master;Integrated Security=SSPI"
   [System.Data.SqlClient.SqlConnection] $conn = New-Object System.Data.SqlClient.SqlConnection
   $conn.ConnectionString = $connstr
   [System.DateTime] $start = Get-Date
   $conn.Open()
   [System.Data.SqlClient.SqlCommand] $cmd = New-Object System.Data.SqlClient.SqlCommand
   $cmd.CommandText = "select auth_scheme from sys.dm_exec_connections where session_id=@@spid"
   $cmd.Connection = $conn
   $dr = $cmd.ExecuteReader()
   $result = $dr.Read()
   $auth_scheme = $dr.GetString(0)
   $conn.Close()
   $conn.Dispose()
   [System.DateTime] $end = Get-Date
   [System.Timespan] $span = ($end - $start)
   "End time: " + $end.ToString("M/d/yyyy HH:mm:ss.fff")
   "Elapsed time was " + $span.Milliseconds + " ms."
   "Auth scheme for " + $server + ": " + $auth_scheme
   

您應該會看見下列輸出：

C:\temp> .\get-sqlauthscheme sqlprod01
End time: 10/26/2020 18:00:24.753
Elapsed time was 0 ms.
Auth scheme for sqlprod01: NTLM

其他相關資訊

SQL Server 中的一致驗證問題