Re: SQL Server Authentication versus Windows Authentication

Its more complicated than that unfortunately. Using SQL Server
authentication has some security implications so it is generally better
(IMHO) to use Windows Authentication to SQL Server, though by using a
Integrated Security you are using the current principal running the
ASP.NET page. In general this is either a very limited user (e.g.
Network Service under W2K3) or a specific windows principal.

If you are using Windows Authentication on your ASP.NET (e.g. Intranet
projects), then integrated security means that your actual users are
authenticating to the SQL Server. This is good and bad. Bad in that
you need to make sure they have access, but good if you need to audit
database changes as it will be annotated with who made what changed in
audit logs. But this is a usually not the case.

I think the best practice with ASP.NET is to use a user account to
authenticate with instead of SQL Server security. Whether you use
integrated security to pass the credentials to the SQL Server is up to
you, but in either case the user should probably be somewhat limited in
access to the database to prevent intrusions into the website causing
havok.

Does this make any sense?

Thanks,

Shawn Wildermuth
Wildermuth Consulting Services, LLC
http://adoguy.com
C# MVP, MCSD.NET, Author and Speaker


-----Original Message-----
From: supvine@xxxxxxxxx
Posted At: Thursday, July 13, 2006 5:14 PM
Posted To: microsoft.public.dotnet.framework.adonet
Conversation: SQL Server Authentication versus Windows Authentication
Subject: SQL Server Authentication versus Windows Authentication


Hello,

I am hearing conflicting point of views regarding ASP.Net
development - some folks say that when connecting to a SQL
Server via ASP.Net it is better to connect using Integrated
Windows Authentication (trusted
connection) while others say that it is better to connect
using SQL Server Authentication.

The two modes mean the following to me -

Windows Authentication Mode - meaning a domain account given
permission to a particular SQL Server database.

SQL Server Authentication Mode - meaning an user created in
SQL Server itself and given specific permissions to a database.

Could someone provide me with some direction regarding these
two options and what are the advantages and disadvantages of
each of these?

Thanks for your help regarding this.






.

Relevant Pages

  • Re: Trusted connections??
    ... implement role or user based security at the SQL Server. ... If the ASP.Net app controls what the user can request of the database then I ... I implement user authentication at the application and the application ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: NT authentication vs. SQL auth
    ... that Windows Authentication is more "demanding" than is SQL Server ... I would think that SQL Server, rather than just looking at its own (probably ...
    (microsoft.public.sqlserver.security)
  • Re: NT authentication vs. SQL auth
    ... that Windows Authentication is more "demanding" than is SQL Server ... I would think that SQL Server, rather than just looking at its own (probably ...
    (microsoft.public.sqlserver.security)
  • Re: Permissions problem on SBS 2003 R2 for SQL Server 2005 clients
    ... Mixed mode authentication is there for a reason. ... Microsoft strongly recommends Windows authentication for a purely ... I DO NOT DO on SQL Server systems unless necessary. ... security is no place for workarounds and you have to understand that SQL ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot open database requested in login
    ... Assuming your goal is to use windows integrated ... security then leave out the username ... ASP.NET service) as a login to SQL Server and with access to the ... >> you should see security tab, change authentication to "SQL ...
    (microsoft.public.sqlserver.security)