RE: Subject: Transmission of Username & Password?



OK, over in the SQL Security newsgroup there is confirmation that the
credentials are not sent to SQL Server in clear test from ASP.NET/IIS just a
token using SSL.

So now my question is: The users of this ASP.NET Web App are authenticated
using Windows Authentication. Therefore their credentials are passed from
their desktop computer from IE to IIS.

In this case, is it true that the process uses their credentials to access
local resources and the SQL Server? Doesn't that mean one ASP.NET process
per user??

Would it make sense to impersonate a domain user by setting impersonate =
true in web.config and user/password to a special account that has access
enabled to the database and local resources? E.g. the Virtual Directory.

Another approach might be to have all the users in a Domain group that has
access to local resources and the SQL Server database.

Comments on these approaches or another that might be more elegant?

TIA,
G

"MaxGruven" wrote:

Is the Username and Password specified in the Connection String of an ASP.NET
application transmitted to an SQL Server 2005 sent as clear text from the IIS
Server?

The reason I ask is our IT department has mandated that all
username/passwords be encrypted when sent from one server to another within
our corporate intranet in case someone is running a sniffer.

If so, what strategy might be employed in order to meet this requirement??

It seems like using Integrated Security in the connection string might work…
but how can I be sure the username/password is not sent and if so, in the
clear?

An Encrypted Connection (Encrypted=True) seems expensive and requires a
server certificate be installed on the SQL Server.

TIA,
G

Cross Posted:
microsoft.public.sqlserver.security

.



Relevant Pages

  • Re: Balancing security needs in ADO.NET applications
    ... See my article http://www.developer.com/db/article.php/3693236 that shows how to put together a hierarchical TableAdapter using SPs. ... Hitchhiker's Guide to Visual Studio and SQL Server ... SQL Server credentials or the application's logon/pw. ... all they can do is run specific SPs that carefully guard the data and do not permit gross operations like dropping tables or changing rights. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Login failed for user . The user is not associated with a trusted SQL Server connection.
    ... he never mentioned he is impersonating in asp.net - so no delegation needed. ... Cassini runs with the credentials of the interactive user - which seems to have access to sql - in contrast to the local ASPNET account - which i am trying to tell him since 2 days.... ... yes - use explicit credentials and enable mixed mode auth in sql server to get this to work. ...
    (microsoft.public.dotnet.security)
  • Re: Balancing security needs in ADO.NET applications
    ... you can't control security at this level) user access is determined by their ... SQL Server credentials or the application's logon/pw. ... Hitchhiker's Guide to Visual Studio and SQL Server ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: IIS 6 and SQL Server - two seperate boxes
    ... make use of a risky solution. ... login to your SQL Server is that exploiting a "known vulnerability"? ... And the credentials could be stolen on ... the server (e.g. from a web.config file if you are using a static account), ...
    (microsoft.public.inetserver.iis.security)
  • RE: SQLXML Newbie Question...
    ... create SQL Server logins, but how do you pass the credentials to the service? ... Mark ... I want to plae my web service on the public internet but it needs ...
    (microsoft.public.sqlserver.xml)