IIS Integrated Windows authentication and SQL Integrated security

  • Thread starter Gilbert Tordeur
  • Start date
G

Gilbert Tordeur

Hello.

Context : VB 2008, Windows 2003 Server, IIS6, SQL Server 2005, Windows XP
PC's, Intranet applications.

IIS and SQL Server are located on different machines.

I wanted my Intranet applications to access the SQL server with Integrated
Security = true, so that I grant right access to my users in SQL Server, and
no userid nor password (SQL account) can be seen in the application.

After having read http://msdn.microsoft.com/en-us/library/bsz5788z.aspx, I
understand that it is not possible for IIS to communicate the user's userid
to SQL Server if they are not running on the same machine (except with Basic
Authentication, but forget it !).

Do I understand well ?

That means that my PC is able to communicate my userid to my Intranet
application running on a server, but this IIS server is not able to do the
same to SQL Server ?

Thank you for your advice.

Gilbert
 
M

Mr. Arnold

Gilbert Tordeur said:
Hello.

Context : VB 2008, Windows 2003 Server, IIS6, SQL Server 2005, Windows XP
PC's, Intranet applications.

IIS and SQL Server are located on different machines.

I wanted my Intranet applications to access the SQL server with Integrated
Security = true, so that I grant right access to my users in SQL Server,
and no userid nor password (SQL account) can be seen in the application.

After having read http://msdn.microsoft.com/en-us/library/bsz5788z.aspx, I
understand that it is not possible for IIS to communicate the user's
userid to SQL Server if they are not running on the same machine (except
with Basic Authentication, but forget it !).

Do I understand well ?

That means that my PC is able to communicate my userid to my Intranet
application running on a server, but this IIS server is not able to do the
same to SQL Server ?

Thank you for your advice.
Click to expand...


No one does this. One puts a generic user-id and psw (psw encrypted with
special key combinations) as the SQL connection string in the Web.config.
The generic user-id and psw are the credentials used to access the
particular database.

You can encrypt the Web.config too if you feel the need.

You should learn how to use Linq-2-SQL or ADO.NET Entity Framework, as they
both have features to further protect connection string information.







__________ Information from ESET NOD32 Antivirus, version of virus signature database 4415 (20090910) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
G

Gilbert Tordeur

Hi Arnold.

Thanks for your answer on this sensitive issue.

Do I understand well ? You'd rather use a constant SQL userid instead of the
automatic user identification, and then, because the password is needed, you
suggest to encrypt it. OK. Then I assume the intranet application decrypt
the password before opening the connection, right ?

Furthermore, I have learned ADO.NET and Linq mainly with two books :
Microsoft ADO.NET reference manual, and Linq in Action. Unless I am mistake
they do not address this security issue. Can you give me some Internet links
to improve my knowledge ?

Thank you,
Gilbert
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SQL Server 2005 and Integrated Security 1
Integrated Authentication 1
How to wake up an asynchroneous process ? 3
using an alternate Windows login with integrated security 1
ASP.NET Integrated Windows Authentication 2
connecting to SQL Server over VPN 1
Access problem when calling Excel from a web application 2
Web application calling Excel 2003 2

Top