IIS Integrated Windows authentication and SQL Integrated security

  • Thread starter Thread starter Gilbert Tordeur
  • Start date Start date
G

Gilbert Tordeur

Hello.

Context : VB 2008, Windows 2003 Server, IIS6, SQL Server 2005, Windows XP
PC's, Intranet applications.

IIS and SQL Server are located on different machines.

I wanted my Intranet applications to access the SQL server with Integrated
Security = true, so that I grant right access to my users in SQL Server, and
no userid nor password (SQL account) can be seen in the application.

After having read http://msdn.microsoft.com/en-us/library/bsz5788z.aspx, I
understand that it is not possible for IIS to communicate the user's userid
to SQL Server if they are not running on the same machine (except with Basic
Authentication, but forget it !).

Do I understand well ?

That means that my PC is able to communicate my userid to my Intranet
application running on a server, but this IIS server is not able to do the
same to SQL Server ?

Thank you for your advice.

Gilbert
 
Gilbert Tordeur said:
Hello.

Context : VB 2008, Windows 2003 Server, IIS6, SQL Server 2005, Windows XP
PC's, Intranet applications.

IIS and SQL Server are located on different machines.

I wanted my Intranet applications to access the SQL server with Integrated
Security = true, so that I grant right access to my users in SQL Server,
and no userid nor password (SQL account) can be seen in the application.

After having read http://msdn.microsoft.com/en-us/library/bsz5788z.aspx, I
understand that it is not possible for IIS to communicate the user's
userid to SQL Server if they are not running on the same machine (except
with Basic Authentication, but forget it !).

Do I understand well ?

That means that my PC is able to communicate my userid to my Intranet
application running on a server, but this IIS server is not able to do the
same to SQL Server ?

Thank you for your advice.


No one does this. One puts a generic user-id and psw (psw encrypted with
special key combinations) as the SQL connection string in the Web.config.
The generic user-id and psw are the credentials used to access the
particular database.

You can encrypt the Web.config too if you feel the need.

You should learn how to use Linq-2-SQL or ADO.NET Entity Framework, as they
both have features to further protect connection string information.







__________ Information from ESET NOD32 Antivirus, version of virus signature database 4415 (20090910) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
Hi Arnold.

Thanks for your answer on this sensitive issue.

Do I understand well ? You'd rather use a constant SQL userid instead of the
automatic user identification, and then, because the password is needed, you
suggest to encrypt it. OK. Then I assume the intranet application decrypt
the password before opening the connection, right ?

Furthermore, I have learned ADO.NET and Linq mainly with two books :
Microsoft ADO.NET reference manual, and Linq in Action. Unless I am mistake
they do not address this security issue. Can you give me some Internet links
to improve my knowledge ?

Thank you,
Gilbert
 
Back
Top