Re: Windows Authentication to SQL Server?



Yes, both Windows authentication.

In delegation, authentication to SQL server is done as the user authenticated by the front end application (typically a web app using integrated auth), allowing you to implement very granular security on individual Windows users in SQL itself.

Trusted sub system is basically the practice of access SQL as a fixed service account. In SQL, this can be done with either Windows security or SQL security but the article is discussing Windows security. Trusted sub system is typically easier to configure (delegation can be quite tricky) and may perform better in some use cases but forced all authorization logic to be implemented at the front tier. This is sometimes a good thing and sometimes a bad thing, depending on how you want to use SQL.

It is also fair to say that delegation and trusted sub system are architectural styles for implementing authentication and authorization in distributed applications and the principals can be applied without using Windows security as long as other protocols that support these principals exist. Trusted sub system is typically easy to set up while delegation tends to be much harder to implement effectively without Windows security. Technology enabled by protocols like WS-Trust/WS-Federation and Geneva server will begin to change all that, at least for applications and services that can implement those protocols instead of only Kerberos/negotiate auth in Windows. Alas, as far as I know SQL is not there yet.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"7777" <NoSpam@xxxxxxxxxx> wrote in message news:%23uJ9EZZMKHA.3384@xxxxxxxxxxxxxxxxxxxxxxx
Hello, a little foggy on this but are both methods of Impersonation / Delegation vs. Trusted Subsystem from the following link of http://msdn.microsoft.com/en-us/library/ms998292.aspx are both Windows based authentication to SQL Server? Kind of had the impression that Impersonation was more like a bunch of basic usernames/passwords stored in a user db table that all shared 1 Windows authentication account? Ultimately we'd like to go with individual Windows Authentication accounts for all the users for high granular auditing/security in still utilizing Windows security and wasn't quite sure if the Impersonation/Delegation is able to do this. Thanks in advance.


.



Relevant Pages

  • Re: Login failed for ServerGuest
    ... I think it is not a limitation in Windows 2000. ... access SQL server on Win2000 server by using Windows authenctication if I ... | I have noticed that when I try to log in using Windows Authentication ...
    (microsoft.public.sqlserver.connect)
  • Re: Windows Authentication to SQL Server?
    ... oranges in trying to convert an asp.net app which uses forms authentication ... mode throughout the app with one SQL login account into SQL Server versus ... converting the asp.net app into a full individual Windows authentication ... Ultimate goal would be to see the individual windows ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Integrated Authentication (Kerberos) Problem
    ... Verify the SPN for the SQL service account is registered such as the ... >Thread-Topic: Integrated Authentication Problem ... A Windows XP SP1 with IE6 client machine ...
    (microsoft.public.inetserver.iis.security)
  • Re: User authentication
    ... What I want to do is configure scheduled backup. ... However, if possible, I would like to use Windows authentication as opposed ... the backup job in SQL server. ...
    (microsoft.public.sqlserver.clients)
  • Re: Allow Integrated Windows Authentication Token to be delegated?
    ... Integrated Windows Authentication actually involves two different types of ... Kerberos is supported, natively, by ... Windows 2000 and Windows XP client machines. ... delegation you can also configure Protocol Transition, ...
    (microsoft.public.dotnet.framework.aspnet.security)