签名激活过程中的不受信任的安全上下文

时间:2014-11-25 14:04:16

标签: sql-server stored-procedures linked-server service-broker sql-server-2014

我有一个服务代理队列的激活过程,用于查询链接服务器。我使用here找到的方法签署了该程序。但是,我不断在sql server日志中看到以下消息:

  

激活的proc' [dbo]。[TestProc]'在队列上运行' DBName.dbo.TestReceiveQueue'输出以下内容:'拒绝访问远程服务器,因为当前的安全上下文不受信任。'

奇怪的是,我在同一个数据库中有几个不同的激活程序,由同一个证书签名,也可以进行链接服务器查询,并且工作正常。出于某种原因,这个程序拒绝。

这里有一些代码(大部分)可以重现问题。我已经创建了证书和相关的登录信息。

CREATE PROCEDURE TestProc
WITH EXECUTE AS OWNER
AS
BEGIN
    SET NOCOUNT ON;

DECLARE @convHandle UNIQUEIDENTIFIER;
DECLARE @msgTypeName SYSNAME;
DECLARE @status TINYINT;
DECLARE @srvName NVARCHAR(512);
DECLARE @srvConName NVARCHAR(256);
DECLARE @msgTypeValidation AS NCHAR(2);
DECLARE @msgBody NVARCHAR(256);
DECLARE @cmd AS NVARCHAR(50);


RECEIVE TOP(1)
        @convHandle = conversation_handle,
        @msgTypeName =  message_type_name,
        @status = status,
        @srvName = service_name,
        @srvConName = service_contract_name,
        @msgTypeValidation = validation,
        @msgBody = CAST(message_body AS NVARCHAR(256))
        FROM TestReceiveQueue;

    --SELECT @convHandle, @msgBody

    IF (@@ROWCOUNT != 0)
    BEGIN

        SELECT * FROM openquery(LINKEDSERVERNAME, 'SELECT * FROM LINKEDSERVERDB.SCHEMA.TABLE')

        END CONVERSATION @convHandle
    END

END
GO

CREATE MESSAGE TYPE [TestMessageType] VALIDATION = NONE;

CREATE CONTRACT TestContract (TestMessageType SENT BY INITIATOR)

CREATE QUEUE [dbo].[TestReceiveQueue] With STATUS = ON, RETENTION = OFF, ACTIVATION (STATUS = ON, PROCEDURE_NAME = [dbo].[TestProc], MAX_QUEUE_READERS = 1, EXECUTE AS OWNER ), POISON_MESSAGE_HANDLING (STATUS = OFF) ON [PRIMARY]
CREATE QUEUE [dbo].[TestSendQueue] WITH STATUS = ON, RETENTION = OFF, POISON_MESSAGE_HANDLING (STATUS = OFF) ON [PRIMARY]

CREATE SERVICE [TestReceiveService] ON QUEUE [dbo].[TestReceiveQueue] (TestContract)

CREATE SERVICE [TestSendService] ON QUEUE [dbo].[TestSendQueue] (TestContract)


Drop Procedure TestProc

ADD SIGNATURE TO OBJECT::[TestProc]
BY CERTIFICATE [ServiceBrokerProcsCert]
WITH PASSWORD = 'PASSWORDHERE'
GO

有什么方法可以进一步调试,找出我收到此错误的原因?我在对话中尝试了ssbdiagnose,并且没有任何配置错误。我还尝试在激活的sproc中记录CURRENT_USER,它以dbo的形式返回。

当我将数据库标记为值得信赖时,它当然有效(但这是我试图避免的)。

1 个答案:

答案 0 :(得分:0)

如果数据库是TRUSTWORTHY OFF,则程序将仅在签署用户的上下文中运行,而不是按照您的预期运行。

将链接服务器权限分配给与 ServiceBrokerProcsCert 相关联的用户,它是正确的用户,其中运行上下文签名的激活过程。

相关问题
最新问题