Integrated security - why not?

From: TimmyG (tim_at_pracctice.com)
Date: 05/28/03 

Date: 28 May 2003 03:56:16 -0700

Hello all,

Firstly I apologise for the length of this posting but it is an on
going issue that i could really do with some help on. Obliged.

For some time now i have been using integrated security at all levels
of a n-tierd asp dotnet application i.e. iss, asp net app and sql
server. The application itself hooks up to multiple databases
depending on the identity and membership of the user. As you can
probably imagine the sql databases are locked down via group
memebership (i.e. one user can gain access to the relevant databases
based on group membership but obviously not the others).

IIS will only allow access to valid accounts and the aspnet
application allows access to all the relevant groups and imppersonates
the client token.

This system is working very well and without going into too much
detail allows me to do many things that mapping all users to one
account at IIS level simply wont allow (proper security on multiple
databases for one).

My problem however is this: I have been working in an intranet
enviroment with domain groups and accounts and hence my system works
fine. I have also tried this method out using machine accounts on a
testing server with no problems at all. In fact i am happily able to
mix machine accounts and domain accounts.

However, the situation has now arisen whereby this system needs to run
in an internet environment. We have a totally dedicated server at an
isp just waiting for this system. The problem however is that our
engineers and network gurus tell me that i simply can't do what i want
to do, apparently ISPs dont support this type of security. But what
has the ISP got to do with it? We have a dedicated 2k server and can
guruantee that all clients will be IE5 or above. What is stopping me
adding the users and groups that i want to the server? It should also
be noted that this box is a domain controller (issues i know) but i
cannot understand why we would need a domain with a standalone
dedicated server. I'm sure it is obvious to you by now that my
networking / security knowledge is not exactly great but i know what i
am trying to achieve and have been continuously informed from many
sources that full integrated security is the way to go for maximum
protection.

It should be noted that the information stored within this system is
sensitive to the highest degree and any increases in security are an
absolute must. It should also be noted that we will have full control
over this box i.e. the users do not administer their own accounts in
terms of access at all. It will be done by us via in-house tools.

I simply cannot see why i am being told i cannot do this. In simple
terms what is stopping me adding users and groups to server?

If we were to go down the forms auth route then i suddenly need an
application per database to maintain security at db level as all users
would be mapped onto one account by IIS and would hence gain access to
all other dbs. This is no good at all and forces me to use multiple
apps to map users onto different accounts for db access. Also,
interestingly, if i went down this route i would still have to add
groups / accounts to the machine for mapping of users from the
different applications, so what's the difference?

This has been a long running issue that is really beginning to annoy
me because no one seems able to tell me why i cant do this nor can i
find any information relating to why this might be.

I have hit web sites before that provide a machine / domain logon so
why can't my application do it?

Much obliged for your time....
TimmyG.

Relevant Pages

  • Re: Integrated security - why not?
    ... Let me explain why we seldom use Integrated Security for Internet asp.net ... how could we setup accounts for them? ... !server to the public network with services such as SQL Server (remember SQL ... The DC at the ISP is not for our own use. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Integrated security - why not?
    ... The DC at the ISP is not for our own use. ... very much wanted to go down the fully integrated security route. ... > FSMO roles on disjoined server), but I would advise against that. ... > and create local accounts and then recreate all security. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Integrated security - why not?
    ... FSMO roles on disjoined server), but I would advise against that. ... and create local accounts and then recreate all security. ... server behind a firewall at your ISP and just publish HTTPS service. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: [Win2003Server] Lost local accounts on domain controler
    ... how can I set this user in a folder security ... I have another windows 2003 based server named MYSERVERXXX, ... Do I need to promote MYSERVERXXX to a domain controller in order to get this ... > accounts were deleted when you promoted it to a domain controller. ...
    (microsoft.public.windows.server.security)
  • Databases
    ... these databases, I would be grateful. ... PS I know that MS Access and security do not belong in the same ... Is SPAM over-loading your e-mail server, ... SurfControl E-Mail Filter is flexible, ...
    (Security-Basics)