Re: Security
From: Jeffrey Palermo [MCP] (http://dotnetjunkies.com/weblog/jpalermo)
Date: 10/09/04
- Next message: Jeffrey Palermo [MCP]: "Re: Mixing ASP with ASPX"
- Previous message: Jeffrey Palermo [MCP]: "Re: Sizing fields"
- In reply to: Demetri: "Security"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 8 Oct 2004 21:21:32 -0500
Demetri,
I'll share what we do because I do something similar. I use the
web.config file to impersonate a domain user that has access to the database
and other domain resources. I use aspnet_setreg to encrypt and store in the
registry the domain user and password. I leave the IIS settings alone and
have Windows Integrated Security set. ASP.NET is able to authenticate the
user while running the code under the impersonated account. It works great.
Best regards,
Jeffrey Palermo
"Demetri" <Demetri@discussions.microsoft.com> wrote in message
news:7BD4844E-4DEB-43C1-8E79-A3BDCDD1026A@microsoft.com...
> I have a client that would like the asp.net application to have security
as
> follows:
>
> Impersonated using account XXXXX for the purpose of using SSPI in making
the
> database connection. This way no user information is stored anywhere but
IIS
> security settings.
>
> At the same time the app will be in need of capturing user NT credentials
to
> identify who is actually accessing the web application. The NT account
itself
> will not be set up in SQL server. So the app can not use integrated
security.
>
> Normally the web.config would have the db connection string using a db
> defined user account. However, in this case we need the db user to be the
> same user as the web app is running under yet we need the client user's NT
> info.
>
> Any help is appreciated.
>
> -Demetri
- Next message: Jeffrey Palermo [MCP]: "Re: Mixing ASP with ASPX"
- Previous message: Jeffrey Palermo [MCP]: "Re: Sizing fields"
- In reply to: Demetri: "Security"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
