Re: SQL Connectivity by Web App
From:
Date: 06/22/04
- Previous message: Johanna Espinosa: "CspProviderFlags Members"
- In reply to: Alek Davis: "Re: SQL Connectivity by Web App"
- Next in thread: Alek Davis: "Re: SQL Connectivity by Web App"
- Reply: Alek Davis: "Re: SQL Connectivity by Web App"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Jun 2004 10:42:52 +0100
Thanks AleK,
That certainly sounds good and reinforces what I was thinking. I think I
will try to save the credentials in the Web.config file as AppSetting keys
so they are not saved in each page and should be more secure.
Cheers,
<M>ike
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:OB9NoC7VEHA.3596@tk2msftngp13.phx.gbl...
> Mike,
>
> The most common approach to this common problem is to specify SQL
> credentials in the connection string. The downside here is that you need
to
> protect the connection string at storage, which is a challenge, but unless
> you have certain specific conditions, you do not have many alternatives.
If
> you want to propagate user's credentials to SQL server, you have to enable
> delegation at the AD domain level, which is not a good idea from security
> perspective. And what is worse, your app will not be able to use
connection
> pooling, so the scalability goes down he drain. If you want to connect to
> SQL Server using credentials of the IIS worker process, you either need to
> run the IIS process as a domain user or set them identically on both the
SQL
> serve and Web server using a local account (with the same password). I
don't
> think that either of these options is good, because if you do this (for
one,
> any application running under your Web site will be able to connect to SQL
> server with privileged rights). The bottom line here is that you will
> introduce more problems than you solve. Just go with the SQL credentials
in
> the connection string. From my experience, this is what most enterprise
apps
> do.
>
> Alek
>
> "<M>ike" <mikedotdinnisatabraxas-ukdotcom> wrote in message
> news:uO3P$j6VEHA.2840@TK2MSFTNGP11.phx.gbl...
> > Hi,
> >
> > To start with, i'm not too sure if this is the right group to be posting
> in
> > so please let me know if these is a more suitable one.
> >
> > I am trying to get my head around the mechanics behind .NET web
> applications
> > accessing SQL databases located on another pc. My current scenario is
that
> > both PC's (IIS5 and SQL2000) are on the same domain but are physically
> > different. I wish to retrieve data from the database to include in the
> > asp.net application. As far as I can see I have two options when
building
> > the connection:
> >
> > a) pass credentials in a connection string;
> > b) change the impersonated user to a domain account with sql
priivaleges.
> >
> > I notice that the SQL box is set to use windows authentication. Does
this
> > make a difference?
> >
> > What I am looking for is are links to resources discussing the matter to
> > determine which method is best, if the are other methods and how to set
up
> > the solution.
> >
> > Any help would be appreciated.
> >
> > Regards,
> >
> > <M>ike
> >
> >
>
>
- Previous message: Johanna Espinosa: "CspProviderFlags Members"
- In reply to: Alek Davis: "Re: SQL Connectivity by Web App"
- Next in thread: Alek Davis: "Re: SQL Connectivity by Web App"
- Reply: Alek Davis: "Re: SQL Connectivity by Web App"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
