Re: NT vs SQ Server Authentication

From: Bob Castleman (nomail_at_here)
Date: 08/26/04 

Date: Thu, 26 Aug 2004 18:05:57 -0400

BOL says nothing about deprecation. I'm just naturally paranoid about any
feature for which its primary reason for existence is backward compatibilty.

Basically, SQL Server authentication was replaced 5 years ago - a very long
time in the technology biz. It seems to me that the wiser choice is to use
NT authentication for any new development and let SQL authentication hang
around for backwards compatability only.

Bob

"Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> wrote in
message news:uXRe3W6iEHA.1644@tk2msftngp13.phx.gbl...
> > From reading BOL, the primary differences are all related to the
security
> > available through NT. This is all lost when using SQL Server
authentication.
> > Also BOL says SQL authentication is supplied for backwards compatibilty
> > which implies deprecation leading to dropping of the functionality.
Anytime
> > I see backwards compatibility, it makes me nervous.
>
> I have a feeling that BOL is "overstating" the deprecation risk. I doubt
that SQL Server logins will be
> removed in the near future. Just think of a typical Web Server scenario.
where the web server is in DMZ and
> SQL Server inside both firewalls. Here, you typically login using a SQL
Server login from the web server to
> the SQL Server. Often even the same login for all users. Are you checking
the latest update of BOL? Perhaps MS
> backed off a bit on this after releasing SQL2K, and re-phrased it in later
editions of BOL?
>
>
> > Their contention is that
> > by using hardcoded passwords, there is no chance that a user will screw
up
> > adding users to the domain or user groups and it will save us a few
support
> > calls.
>
> Basically, this is what application roles are there for.
>
>
> > Are their any considerations regarding .NET?
>
> Not that I'm aware of...
> --
> Tibor Karaszi, SQL Server MVP
> http://www.karaszi.com/sqlserver/default.asp
> http://www.solidqualitylearning.com/
>
>
> "Bob Castleman" <nomail@here> wrote in message
news:uVQ4GzuiEHA.3536@TK2MSFTNGP12.phx.gbl...
> > From reading BOL, the primary differences are all related to the
security
> > available through NT. This is all lost when using SQL Server
authentication.
> > Also BOL says SQL authentication is supplied for backwards compatibilty
> > which implies deprecation leading to dropping of the functionality.
Anytime
> > I see backwards compatibility, it makes me nervous.
> >
> > Our developers have suggested hardcoding passwords into the application.
I
> > think we should stay with NT authentication, but they think it will be
> > easier to perform setup and admin tasks using SQL auth. We have alot of
> > customers using MSDE and they really don't have a clue about backups,
etc.
> > so we need to do these from within our application. Their contention is
that
> > by using hardcoded passwords, there is no chance that a user will screw
up
> > adding users to the domain or user groups and it will save us a few
support
> > calls.
> >
> > Are their any considerations regarding .NET?
> >
> > Thanks,
> >
> > Bob
> >
> >
> > "Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> wrote
in
> > message news:uPrQycuiEHA.2660@TK2MSFTNGP15.phx.gbl...
> > > I prefer Windows authentication.
> > >
> > > With luck I can run SQL Server in "Windows Only" mode. Just the fact
that
> > there exist an account with sysadmin
> > > privileges that everyone know the name of feels a bit uncomfortable to
me.
> > >
> > > Also, for SQL server account, you have yet another password to
remember.
> > And, for SQL Server logins, there's
> > > nothing that forces you to change passwords, min length of password
and
> > all these things.
> > >
> > > --
> > > Tibor Karaszi, SQL Server MVP
> > > http://www.karaszi.com/sqlserver/default.asp
> > > http://www.solidqualitylearning.com/
> > >
> > >
> > > "Bob Castleman" <nomail@here> wrote in message
> > news:OerfYZuiEHA.1376@TK2MSFTNGP11.phx.gbl...
> > > > Are there any compelling reasons to use one over the other?
> > > >
> > > > Thanks,
> > > >
> > > > Bob Castleman
> > > > SuccessWare SoftWare
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: NT vs SQ Server Authentication
    ... > From reading BOL, the primary differences are all related to the security ... This is all lost when using SQL Server authentication. ... > by using hardcoded passwords, there is no chance that a user will screw up ...
    (microsoft.public.sqlserver.server)
  • Re: SQL 2005 - Windows integrated authentication
    ... In the BOL, type 'authentication, overview' and get lots of info ... The authentication is going to be Windows integrated. ... connect to the database with user's windows security context. ... authentication happen at SQL Server end? ...
    (microsoft.public.sqlserver.security)
  • Re: Windows Authentication in asp.net 2005 to SQL Server?
    ... If the domains do not trust each other, Windows authentication is not going ... Basic authentication sometimes makes the need for Kerberos delegation go ... generic account to do the backend data stuff on our SQL Server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: I dont want to re-invent the Login/Login Wheel - Help with utilities
    ... Yes, if you use .NET1.1, there isn't built-in login control, and more importanltly there isn't ready-to-use membership component to use. ... the membership provider uses SQL Server or SQL Server Express. ... We feel that having the capability to force password change would be a better benefit in securing our application and data access. ... Both Windows authentication and authorization wolud be be fine if we wanted the world to have access to our application data, but not very intuitive for maintaining integrity over our data. ...
    (microsoft.public.vstudio.general)
  • RE: IIS (ASP) -> SQLServer Authentication Issue
    ... I understand that you'd like to use IIS Intergration authentication in the ... and ASP "impersonates" authencitaed users to access SQL Server on ... only kerberos authentication allows double-hops from clients ...
    (microsoft.public.sqlserver.security)