"<MachineName>\ASPNET Account" and "NT Authority\Syst

[MS Techie]

I am talking about .Net Framework 2.0 and .Net Framework 1.1
When accessing SQL Database through ADO.Net C#, in the connection string
when we specify Windows Integrated Authentication. i.e. "INTEGRATED SECURITY
= SSPI" , what exactly happens... Does the .Net Framework , access SQL
Database through a <machineName>\ASPNET account... This is in the scenario
when the Database is residing on the same server as the host . I know that
ASPNET user is a local system account.

Now in the Scenario where in the Database is placed on a different Server, I
think it uses NT Authority\System account to access the SQL Database from a
different Server..

Is my understanding totally wrong in both the scenarios.. Can I get a good
link which exactly describes what exactly happens inside...

 

[Norman Yuan]

ASP.NET/web application is server side application, which can be configured
to run under different user account (local or domain). Be default, it is
Machine\ASPNET (WinNT/XP) or Network Service (Win2003/VISTA/2008). But it
can be any oner account, based on the app's needs (you as developer surely
should be able decide which user account the ASP.NET should be running
under. The account will not change by itself because of where SQL Server is.

When SQL Server is in different box, you need to look into using domain user
account, and/or server security delegation, in accordence with the decision
of using WIndows integrated security or SQL Server security to access SQL
Server.

 

[William Vaughn \(MVP\)]

I, for one, don't recommend using Integrated Security=SSPI (or
Trusted_Connection=Yep in Texas). I encourage use of SQL Server
authentication for ASP so you don't have to worry about reauthentication by
the DC on each reconnect. Simply enable mixed mode security on the SQL
Server and create an application-specific account that's granted rights on
just those stored procedures (etc.) that the application needs and you're
fixed.

See Chapter 9 of my book or my blog for whitepapers on connecting.

hth

--
__________________________________________________________________________
William R. Vaughn
President and Founder Beta V Corporation
Author, Mentor, Dad, Grandpa
Microsoft MVP
(425) 556-9205 (Pacific time)
Hitchhiker’s Guide to Visual Studio and SQL Server (7th Edition)
http://betav.com http://betav.com/blog/billva
____________________________________________________________________________________________

 

[MS Techie]

Hi William,

Thanks for the reply. I am currently using ASP.Net 2.0 and SQL Server 2005.
By Default when I specify "Integrated Security =SSPI" in the connectionString
in my C# code, I believe this is what happens..

Firstly , Depending on where I am running my ASP.Net 2.0 code, whether on a
machine using IIS 5.0 or IIS 6.0 and later , it gets decided what account
needs to be used. So if it is IIS 5.0 , it used <machinename>\ASPNET account
and if it is IIS 6.0 and higher it used "NT Authority\Network Service"
account , when trying to access the SQL database.
Now again , this depends on whether I have set the <Identity
Impersonate="true"> . By Default this setting is false. Now what happens when
I set this to true is that whatever Windows NT Domain or local system account
that I use will be used while querying SQL and the ASPNet or the "NT
Authority\Network Service" will not be used in this case. Ideally it would be
better to not to use SQL Authentication in the connection string (as per
microsoft) and best is to use Windows Integrated Authentication.
I think most of the companies on the other hand, dont use both the
techniques, but they create a exclusive DOMAIN account for the same purpse ,
set the identiy impersonate = true and specify the domain credentials in that
node in the web.config, encrypt that section of web.config and make sure that
the newly created domain account have least privilleges or whatever required
privilleges on the SQL Server, %temp%\temporary asp.net files\ folder,
\inetpub folder etc..

This is my understanding.. Please correct me if I am wrong..