Re: Integrated security

From: Sahil Malik (contactmethrumyblog_at_nospam.com)
Date: 02/28/05 

Date: Mon, 28 Feb 2005 14:33:51 -0500

Arne,

The permissions ASPNET or it's equivalent will need to run properly on a
windows 2000/IIS 5 box, are detailed here.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/aaconaspnetrequiredaccesscontrollistsacls.asp

You are on the right path in your thinking about creating a matching
username/password on both machines. On the SQL Server it has access to the
DB, and on the web server this user has access to as per the definied in the
link above.

Once you're done with this setup, you have two options - which essentially
substitute for the Application pool setup we did for IIS6.

You can put that in your web.config as --
<system.web>
  <authorization>
    <identity impersonate="true" userName="yourNewUsername"
password="yourStrongPassword" />
  </authorization>
</system.web>

Or, you can let IIS impersonate those details in two steps (better way)
Step #1 -- In the properties for your website/virtual dir, go to Directory
Security and click the edit button beside Anonymous access and
authentication control configure the new username and password over there.
Step #2 - Let IIS provide those impersonation details via a trusted
connection by editing your web.config as follows -
<system.web>
  <authorization>
    <identity impersonate="true" />
    </authorization>
</system.web>

A YET another way is to edit the machine.config file and put the pasword in
there to edit the default context. This would be at
<processmode .. userName="ASPNET" password ="YourNewFunkyPassword"/>
This is obviously global and a bit less secure.

- Sahil Malik
http://codebetter.com/blogs/sahil.malik/

"Arne" <Arne@discussions.microsoft.com> wrote in message
news:DC1BFE3B-5D0E-4D23-9377-E8AA2AE8B61C@microsoft.com...
> Sahil,
> Thanks for the information, but it leaves a lot of questions unanswered.
> If I create a new NT account that matches my sql login, what kind of NT
> privileges do I have to give to it?
> I use IIS 5.0 and IIS 5.1 most of the time.
>
> Arne.
>
>
> "Sahil Malik" wrote:
>
> > The instructions for IIS 6 and 5 are vastly different. I'll just assume
> > you're using IIS 6 (partly because I'm hella lazy), and give you the
> > instructions for only those. If you are using IIS 5, lemme know and I'll
> > give you those instructions instead.
> >
> > So in Win2k3, IIS 6, you have this ulta new hall cool thing called
> > "Application Pools". In IIS manager under control panel ->
Administrative
> > Tools -> IIS Manager, you can simply create a new application pool,
> > configure it to use a particular username password that has access to
the
> > SQL Server, and then go to the virtual directory/website, and in it's
> > properties instruct it to use that particular application pool.
> >
> > Thats it, you got integrated security on ASP.NET now .. isn't that COOL?
:)
> >
> > Obviously there are other ways to acheive this, but I like this method
the
> > mostest :)
> >
> > - Sahil Malik
> > http://codebetter.com/blogs/sahil.malik/
> >
> >
> >
> > "Arne" <Arne@discussions.microsoft.com> wrote in message
> > news:94A74A1A-E400-4B0F-A39D-4C8538BA6E2C@microsoft.com...
> > > How do I create trusted security between my web server and my sql
server?
> > > I don't know the account and password that my web server is running
under.
> >
> >
> >