Re: ASP.NET, Win2k, SQL 2k on an intranet (w/Kerberos?)
From: Tom Kaminski [MVP] ((A_at_T))
Date: Thu, 22 May 2003 14:51:01 -0400
Ah - yes pooling, I failed to mention that. Pooling is per connection, so
if each user authenticates separately they don't share a pool. Using a
single account (such as ASPNET) would allow all connections to be pooled.
"Matjaz Ladava" <matjaz@_nospam_ladava.com> wrote in message
> I would just add some thoughts if Tom doesn't mind:
> Impersonation has a big drawback, and this is, that you loose connection
> pooling on SQL server. I would in your case, leave windows authentication,
> but avoid impersonation. This way your application would act on behalf of
> ASPNET account. Grant ASPNET account logon rights to SQL server and limit
> just to one database. Next, for security purposes, program all DB access
> trough stored procedures and give ASPNET account just execute permission
> stored procedures. In this way you would get security, because what ASPNET
> account does is limited to stored procedures and secondly you get
> performance, because SP's are faster.
> Use impersonation only if your application needs to access some COM
> using your identity in case you are checking roles rough COM+.
> also adds on administration overhead as you have to control each user.
> The second approach would be to do a forms authentication and then program
> your logon to AD as explained in
> Matjaz Ladava
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> > "Mike Lerch" <mlerchNOSPAMTHANKS@nycap.rr.com> wrote in message
> > news:email@example.com...
> > > Also a more general question: are there inherent security risks in
> > > using kerberos/delegation?
> > I can't answer that - but in an intranet environment I never understood
> > point of the extra layer of security of authenticating the users to the
> > Write your web app such that users must authenticate to IIS and only
> > access to the appropriate DB functionality. Just give your devs and
> > access to the database, plus a dummy "service" type account to be used
> > the web app connection string. This is much easier to manage.
> > --
> > Tom Kaminski IIS MVP
> > http://www.iistoolshed.com/ - tools, scripts, and utilities for running
> > http://mvp.support.microsoft.com/
> > http://www.microsoft.com/windowsserver2003/community/centers/iis/