Re: Database connection

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 06/06/05 

Date: Mon, 06 Jun 2005 07:44:37 -0700

Hello Filip,

another approach would be (and IMO a much better)

1. configure your worker process identity to a custom account (via the AppPool
feature in IIS6)
2. create a "mirrored" account for the app pool account on the sql box
3. give SQL access to this account
4. don't impersonate
5. connect to SQL

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
> I have a website runnning on Windows 2003 Web Server edition that
> needs to
> connect to an MS SQL2000 database.
> The web server is NOT part of the domain, but can talk to my database
> via
> IP and retrieve data when using SQL server login.
> This however means there is a User ID /Password in clear text.
> I would like to use SSPI, so I did the following:
>
> 1. created local account on my Web server with known password
> 2. using aspnet_setreg I encrypted and inserted the User ID/Password
> into
> registry
> 3. ACL set on the registry key to Read
> 4. In Web config I set
> <identity impersonate="true"
>
> userName="registry:HKLM\Software\TestApp\Identity\ASPNET_SETREG,userNa
> me"
>
> password="registry:HKLM\Software\TestApp\Identity\ASPNET_SETREG,passwo
> rd"
> />
> User is being correctly impersonated
> 5. I gave permissions to my new user to have access to files/folders
> required
> by ASP.NET
> 6. Created "mirrored" local account on my database server.
> However, when I run a page that contains database connection/data
> retrieval I get the following error:
>
> "Login failed for user '(null)'. Reason: Not associated with a trusted
> SQL Server connection."
>
> obviously my User ID / Password are not being passed through.
>
> Can anybody suggest, what I need to do, obviously I don't want to have
> the
> User ID and Password in clear text.
> Please keep in mind Web server and Database server are NOT in tha same
> domain
> (can't use domain logins!)
> Thanks in advance,
> Filip

Relevant Pages

  • Re: PerfMon recording to SQL 2005
    ... seconds or even every ne second) from a busy server to a database on ... On the Perfmon counter Log Files tab, SQL Database has been set, End File ... Configuring the log file, choose the tested DSN as the System DSN ... The user account I created in SQL is an owner of the ...
    (microsoft.public.sqlserver.server)
  • Re: SQL 2005 express security issue
    ... I can't use Windows authentication because I can't control account creation in client machine, ... I can't control user attached to my database because it is his own machine, I can't set any file permission, so the last security measure is to use SQL authentication to protect my data. ... You do not have to use the "sa" account and it's not recommended using this account because every hacker knows that SQL Server has a built-in sysadmin account which is called "sa". ...
    (microsoft.public.sqlserver.security)
  • Re: SQL 2005 express security issue
    ... Ekrem Onsoy ... I can't use Windows authentication because I can't control account creation in client machine, ... I can't control user attached to my database because it is his own machine, I can't set any file permission, so the last security measure is to use SQL authentication to protect my data. ...
    (microsoft.public.sqlserver.security)
  • Re: ASP.NET, Win2k, SQL 2k on an intranet (w/Kerberos?)
    ... In your place I would go trough database and have mirrored accounts in SQL ... you can create views on SQL server to filter out ... Grant ASPNET account logon rights to SQL server and limit ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ADP PICK database connect to SQL
    ... > all database programming outside of using PHP with mysql. ... The Pick DBMS has its ... > importing them into sql. ... conduit (ultra thin web server), and the Pick DBMS as both application ...
    (comp.databases.pick)