Re: asp.net sql trusted connections between machines
- From: "Bruce Barker" <brubar_nospamplease_@xxxxxxxxxx>
- Date: Fri, 21 Oct 2005 10:16:25 -0700
there is a lot of documentation
full description of iis/asp.net security:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconImpersonation.asp
managing identity in bi objects:
http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/P3ASPD_1.mspx
security patterns for asp.net:
http://msdn.microsoft.com/practices/apptype/webapps/default.aspx?pull=/library/en-us/dnnetsec/html/secnetlpmsdn.asp
these should get you started. in short if you want to use the user
credentials to connect to sqlserver, you will need to switch to kerberos for
authenication, and enable identity delegation.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT05.asp
-- bruce (sqlwork.com)
"Rob" <rob@xxxxxxxxxxxxxxx> wrote in message
news:%23Otzwpj1FHA.980@xxxxxxxxxxxxxxxxxxxxxxx
>
> So we have a client who doesn't want to run a Service Level Account
> (either via an Application Pool or IIS impersonation) and we need to
> connect to a remote SQL Server instance w/ Read-Write permissions. They
> don't want to do it that way due to the maintenance issues with passwords
> in multiple locations.
>
> We're using an OLE connection to SQL server and currently have the
> username and password obfuscated (not strong encryption but not) in the
> connection string in the web.config. Looking for a better alternative.
>
> We've looked into things such as described here:
>
> http://idunno.org/dotNet/trustedConnections.aspx
>
> This is a secured, internal app: Where I'm confused is why the standard
> Windows Authentication setting for access via IIS doesn't seem pass the
> users credentials to the SQL Server (even with impersonate=true in
> web.config). Ideally we just wanted to have read-write windows group and
> add users that way. The connection to SQL with impersonation and Windows
> Authentication remains either IIS or the Application Pool Identity?
>
> So, two questions:
>
> 1. is this impersonation behavior with IIS and Windows Authentication
> documented anywhere (need to show them via a reliable source this doesn't
> work beyond the fact that its not working)
>
> 2. Short of encrypting the user connection information in the registry
> (also a maintenance hassle) are there any other options?
>
> many thanks,
>
> Rob
.
- References:
- Prev by Date: No Update for HtmlInputHidden -- Bug or Feature?
- Next by Date: Rendering
- Previous by thread: asp.net sql trusted connections between machines
- Next by thread: Re: Converting Table
- Index(es):
Relevant Pages
|
