Re: Windows Authentication to SQL Server?

Yes, both Windows authentication.

In delegation, authentication to SQL server is done as the user authenticated by the front end application (typically a web app using integrated auth), allowing you to implement very granular security on individual Windows users in SQL itself.

Trusted sub system is basically the practice of access SQL as a fixed service account. In SQL, this can be done with either Windows security or SQL security but the article is discussing Windows security. Trusted sub system is typically easier to configure (delegation can be quite tricky) and may perform better in some use cases but forced all authorization logic to be implemented at the front tier. This is sometimes a good thing and sometimes a bad thing, depending on how you want to use SQL.

It is also fair to say that delegation and trusted sub system are architectural styles for implementing authentication and authorization in distributed applications and the principals can be applied without using Windows security as long as other protocols that support these principals exist. Trusted sub system is typically easy to set up while delegation tends to be much harder to implement effectively without Windows security. Technology enabled by protocols like WS-Trust/WS-Federation and Geneva server will begin to change all that, at least for applications and services that can implement those protocols instead of only Kerberos/negotiate auth in Windows. Alas, as far as I know SQL is not there yet.

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"7777" <NoSpam@xxxxxxxxxx> wrote in message news:%23uJ9EZZMKHA.3384@xxxxxxxxxxxxxxxxxxxxxxx
Hello, a little foggy on this but are both methods of Impersonation / Delegation vs. Trusted Subsystem from the following link of are both Windows based authentication to SQL Server? Kind of had the impression that Impersonation was more like a bunch of basic usernames/passwords stored in a user db table that all shared 1 Windows authentication account? Ultimately we'd like to go with individual Windows Authentication accounts for all the users for high granular auditing/security in still utilizing Windows security and wasn't quite sure if the Impersonation/Delegation is able to do this. Thanks in advance.