我有一个服务代理队列的激活过程,用于查询链接服务器。我使用here找到的方法签署了该程序。但是,我不断在sql server日志中看到以下消息:
激活的proc' [dbo]。[TestProc]'在队列上运行' DBName.dbo.TestReceiveQueue'输出以下内容:'拒绝访问远程服务器,因为当前的安全上下文不受信任。'
奇怪的是,我在同一个数据库中有几个不同的激活程序,由同一个证书签名,也可以进行链接服务器查询,并且工作正常。出于某种原因,这个程序拒绝。
这里有一些代码(大部分)可以重现问题。我已经创建了证书和相关的登录信息。
CREATE PROCEDURE TestProc
WITH EXECUTE AS OWNER
AS
BEGIN
SET NOCOUNT ON;
DECLARE @convHandle UNIQUEIDENTIFIER;
DECLARE @msgTypeName SYSNAME;
DECLARE @status TINYINT;
DECLARE @srvName NVARCHAR(512);
DECLARE @srvConName NVARCHAR(256);
DECLARE @msgTypeValidation AS NCHAR(2);
DECLARE @msgBody NVARCHAR(256);
DECLARE @cmd AS NVARCHAR(50);
RECEIVE TOP(1)
@convHandle = conversation_handle,
@msgTypeName = message_type_name,
@status = status,
@srvName = service_name,
@srvConName = service_contract_name,
@msgTypeValidation = validation,
@msgBody = CAST(message_body AS NVARCHAR(256))
FROM TestReceiveQueue;
--SELECT @convHandle, @msgBody
IF (@@ROWCOUNT != 0)
BEGIN
SELECT * FROM openquery(LINKEDSERVERNAME, 'SELECT * FROM LINKEDSERVERDB.SCHEMA.TABLE')
END CONVERSATION @convHandle
END
END
GO
CREATE MESSAGE TYPE [TestMessageType] VALIDATION = NONE;
CREATE CONTRACT TestContract (TestMessageType SENT BY INITIATOR)
CREATE QUEUE [dbo].[TestReceiveQueue] With STATUS = ON, RETENTION = OFF, ACTIVATION (STATUS = ON, PROCEDURE_NAME = [dbo].[TestProc], MAX_QUEUE_READERS = 1, EXECUTE AS OWNER ), POISON_MESSAGE_HANDLING (STATUS = OFF) ON [PRIMARY]
CREATE QUEUE [dbo].[TestSendQueue] WITH STATUS = ON, RETENTION = OFF, POISON_MESSAGE_HANDLING (STATUS = OFF) ON [PRIMARY]
CREATE SERVICE [TestReceiveService] ON QUEUE [dbo].[TestReceiveQueue] (TestContract)
CREATE SERVICE [TestSendService] ON QUEUE [dbo].[TestSendQueue] (TestContract)
Drop Procedure TestProc
ADD SIGNATURE TO OBJECT::[TestProc]
BY CERTIFICATE [ServiceBrokerProcsCert]
WITH PASSWORD = 'PASSWORDHERE'
GO
有什么方法可以进一步调试,找出我收到此错误的原因?我在对话中尝试了ssbdiagnose,并且没有任何配置错误。我还尝试在激活的sproc中记录CURRENT_USER
,它以dbo的形式返回。
当我将数据库标记为值得信赖时,它当然有效(但这是我试图避免的)。
答案 0 :(得分:0)
如果数据库是TRUSTWORTHY OFF,则程序将仅在签署用户的上下文中运行,而不是按照您的预期运行。
将链接服务器权限分配给与 ServiceBrokerProcsCert 相关联的用户,它是正确的用户,其中运行上下文签名的激活过程。