NetworkService Account alternative

  • Thread starter Thread starter Max2006
  • Start date Start date
M

Max2006

Hi,

I want my ASP.NET application connects to a SQL Server through windows
authentication.

To do this, I assume that my application pool should be under a windows
identity instead of NetworkService. (right?)

Since the ASP.NET's application pool user identity should be as restricted
and secured as NetworkService, is there any guideline how to limit and
secure the new user?

Thank you,
Max
 
You can either set the application pool running user account to an
appropriate local or domain account (WIN2003 or later) or consider use
impersonation with your ASP.NET app..
 
Hi Max,

For your scenario, you have the following options:

1. configure your ASP.NET application to use a custom application pool
identity( process account) which can be authenticated by the remote SQL
Server machine. You can follow the following referece about how to create a
custom account which also inclulde grant the custom acount the proper
permission:

#How To: Create a Service Account for an ASP.NET 2.0 Application
http://msdn.microsoft.com/en-us/library/ms998297.aspx


2. You can use impersonate to make your ASP.NET page request running under
an impersonate account (instead of the worker process account). Impersonate
can be done via web.config statically or in code dynamically(more
flexible). Here are some useful articles introduced how to use impersonate
in ASP.NET:

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ms998351.aspx

#Understanding ASP.NET Impersonation Security
http://www.west-wind.com/WebLog/posts/2153.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
 
Back
Top