how to hash impersonated password

[Mark]

We're going to use impersonation in our web.config file to connect via
windows authentication to a SQL Server on the same domain. We'd like to
hash the password rather than store it in plain text in the web.config file
..... suggestions?

<identity impersonate="true" userName="mydomain\myuser" password="mypass"/>

Thanks in advance!

Mark

 

[Mark]

We're on a windows network - we'd like to leverage windows authentication.
We don't have SQL Server authentication turned on at all.

I'm happy to store the hashed/encrypted password some where else, but would
appreciate a bit of guidence on a best practice to follow.

Thanks in advance.

Mark

There's no logic in having it hashed in the web.config. If ASP.NET could

login with a hashed password, so could everyone else hence someone could get
the hash from your web.config file and use it to login just as he would with
the original password.

Why not you use standard SQL identification and store your password

somewhere else, perhaps encrypted(not hashed)?

You could probably also deny read/write permission on web.config to

everyone except the neccessary system processes I guess...

 

[bruce barker]

microsoft supplies no secure way to do this. the best you can do is encrypt
the password and store where your like (note: all web sites on the server
will have access to it, if they know where). then your code will have to
impersonate the account before making any calls that require it. due asp.net
to thread agility (threads may switch during page processing), you can not
just do it once at the start of page processing.

-- bruce (sqlwork.com)