Re: Utter madness!
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 07/14/04
- Next message: Raterus: "Re: Utter madness!"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Access File Share from ASP.NET using Unmanaged Code"
- In reply to: Paul Mason: "Utter madness!"
- Next in thread: Paul Mason: "Re: Utter madness!"
- Reply: Paul Mason: "Re: Utter madness!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Jul 2004 09:30:43 -0500
Lots of people run SQL on other boxes. There is no reason why you can't do
this. However, certain authentication scenarios are harder in that set up.
The issue of passing Windows credentials to SQL server can get tricky if it
is on a different box on the network. If it is your expectation that you
will log on to SQL using web logged on user's credentials and you are using
Windows Integrated Authentication, then you will need to learn some stuff
about Kerberos delegation to make this work. This is discussed ad nauseum
in this group and you will find many pointers here with a Google search.
However, there are many reasons why you would not want to use the user's
credentials to connect to SQL but instead would want to use some kind of
service account. One of the primary reasons is that you'll get better
scalability if you use one set of credentials as you can use connection
pooling. Another reason is that you can avoid the whole Kerberos delegation
thing that way. To do the service account approach, you have three typical
approaches: change the process account for ASP.NET to a domain account,
impersonate a specific domain account or put your data access code in a COM+
component and configure it to use a specific domain identity via COM+. All
have good points and bad points.
Joe K.
"Paul Mason" <masonp@cancer.bham.ac.uk> wrote in message
news:eNB9QkaaEHA.3512@TK2MSFTNGP12.phx.gbl...
>
> I think i've been getting my groups mixed up.
>
> I've been trying to get my intranet system to authenticate to SQL server
> (2K) using a trusted connection for some time and have had to wait until
we
> upgraded to Active directory for kerberos to start working (I'm not 100%
> sure it's kerberos so bear with me).
>
> Now I've hit the final brick wall which means this isn't ever gonna happen
> in the current setup. It finally twigged (dropped like a tonne of lead
more
> like) when I read in the help :
>
> "If your application runs on a Windows-based intranet, you might be able
to
> use Windows integrated security for database access. Integrated security
> requires:
> a.. That SQL Server be running on the same computer as IIS...... "
> I can't believe that someone from MS actually wrote this. Are they
> mad?...IIS and SQL server on the same machine....hackers paradise! Appart
> from being plain dangerous, it's bad networking practice, bad programming
> practice...it's just bad.
>
> Does anyone know if they are actually going to write something useful...or
> are we stuck with forms authentication forever!?! Not that I'm
complaining.
>
> Cheers...P
>
>
>
- Next message: Raterus: "Re: Utter madness!"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Access File Share from ASP.NET using Unmanaged Code"
- In reply to: Paul Mason: "Utter madness!"
- Next in thread: Paul Mason: "Re: Utter madness!"
- Reply: Paul Mason: "Re: Utter madness!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
