Re: Forms or windows authentication with active directory?

From: Joe Kaplan \(MVP - ADSI\) (
Date: 02/06/04

Date: Thu, 5 Feb 2004 23:50:47 -0600

You could call the LogonUser API with the username and password you get from
the forms authentication in order to get a token that use can use to create
a WindowsIdentity that you can impersonate with in code. An advantage to
this is that you don't need delegation to hop to the SQL server as you get a
primary token from calling LogonUser. There is a nice sample in MSDN in the
docs on WindowsImpersonationContext.

The downside is that if you are running IIS on Win2K, you need SYSTEM level
privileges to call LogonUser, so that compromises your security. This
restriction is lifted in Win2K3.

You get much better integration with Windows auth right out of the box
though. Perhaps you could convince the users to be more careful about
locking their workstations when the leave and not letting other people
access resources on their behalf?

Another option would be to access SQL with a domain account based on your
processModel or app pool identity. This would only work if you are using
Windows auth to SQL just to avoid SQL auth, but don't need to access SQL as
the individual user accounts. In that case, you don't need impersonation,
and you could do Forms auth. with an Active Directory bind.


Joe K.

"jp" <> wrote in message
> Hi, I'm having a hard time deciding (figuring out) how to implement
> security in my application.
> Requirements:
> - Use active directory as database of users to authenticate against
> - Have a login screen
> - IIS and SQL Server Database are on different servers (delegation and
> kerberos needed) to make trustedconnection=yes in connection string
> work (no username and password in connection string).
> If I use Windows Authentication in IIS and web.config, everything
> works fine, except there is no login screen, so someone can access an
> internal application by sitting at someone else's computer, if they
> are already logged in.
> If I use Forms Authentication in .NET and anonymous authentication in
> IIS (using a user from the domain) and impersonate=true (so the
> anonymous user can access active directory for authentication), the
> user being impersonated is used to access the SQL Server when I need
> the authenticated user to be the one to access SQL Server.
> The only way I can figure the second situation to work would be to
> have the authenticated user then assume impersonation and that seems
> like it's not a good idea.
> Any thoughts or ideas are more than welcome!
> thanks.

Relevant Pages

  • Re: Login failed for ServerGuest
    ... I think it is not a limitation in Windows 2000. ... access SQL server on Win2000 server by using Windows authenctication if I ... | I have noticed that when I try to log in using Windows Authentication ...
  • Re: Windows Authentication to SQL Server?
    ... oranges in trying to convert an app which uses forms authentication ... mode throughout the app with one SQL login account into SQL Server versus ... converting the app into a full individual Windows authentication ... Ultimate goal would be to see the individual windows ...
  • RE: Integrated Authentication (Kerberos) Problem
    ... Verify the SPN for the SQL service account is registered such as the ... >Thread-Topic: Integrated Authentication Problem ... A Windows XP SP1 with IE6 client machine ...
  • Re: User authentication
    ... What I want to do is configure scheduled backup. ... However, if possible, I would like to use Windows authentication as opposed ... the backup job in SQL server. ...
  • Re: How to SELECT records based upon ASP.NET Roles
    ... security principals directly. ... be able to use SQL row-level security as well (which is something I've never ... When using Windows ... authentication in IIS, this will be a WindowsPrincipal object, but it would ...