Re: ASP.NET, Win2k, SQL 2k on an intranet (w/Kerberos?)

From: Mike Lerch (mlerchNOSPAMTHANKS_at_nycap.rr.com)
Date: 05/22/03


Date: Thu, 22 May 2003 15:02:29 -0400


>Impersonation has a big drawback, and this is, that you loose connection
>pooling on SQL server.

That is an excellent point. A pretty big deal, too.

>I would in your case, leave windows authentication,
>but avoid impersonation. This way your application would act on behalf of
>ASPNET account. Grant ASPNET account logon rights to SQL server and limit it
>just to one database. Next, for security purposes, program all DB access
>trough stored procedures and give ASPNET account just execute permission on
>stored procedures. In this way you would get security, because what ASPNET
>account does is limited to stored procedures and secondly you get
>performance, because SP's are faster.

That's pretty much what's advocated in the top of that Intranet
Security document. Later on they do talk about the Kererbos (I was
mistaken when I implied that that document didn't talk about that
technique) in a section called "Flowing the Original Caller to the
Database."

The thing I don't like about making the ASPNET account just have
execute permission instead of the users is that some of the pages are
doing to require the users to enter data that will be stored in the
database. Other pages will report on information from a very large
pool of data, but filter it according to the user's identity (i.e. an
Eastern Sales Manager will see his stuff, a Western Sales Manager will
see her stuff).

Maybe I could combine those: have IIS validate the user using Windows
Authentication, have the ASP.NET process acount hit the database, and
use IPrinciple to pass the user's name as a parameter to the database
instead of impersonation. Hmm.

Lerch



Relevant Pages

  • Re: ASP.NET, Win2k, SQL 2k on an intranet (w/Kerberos?)
    ... Grant ASPNET account logon rights to SQL server and limit it ... >just to one database. ... >trough stored procedures and give ASPNET account just execute permission on ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Web Service Security problem
    ... the server. ... the failed logon attempt was ASPNET. ... >Allowin that account access to lan resources would be a large security risk. ... >> Another possible issue is the ASPNET account on the server. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Windows Identity and IIS6.0
    ... Please undo your permission changes to ISA_User and ASPNET account -- they ... On IIS6, ASP.Net is configured to not impersonate, and the Application Pool ... My operating system is Win 2003, Framework is 1.1 and Web Server is IIS 6.0 ... I have give Full permission to the ISA_User account and ASPNET Account. ...
    (microsoft.public.inetserver.iis)
  • Re: ADO.NET help - Filling a DataGrid with contents of a DataSet
    ... This happens because ASPNET, ... have access permission to the database you are using. ... Select New Login, browser for ASPNET account. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: .NET Framework 1.1 SP1 and ASP.NET
    ... I am getting the same error after installing SP1. ... Somebody suggested that I need to simply reset my ASPNET user's ... > password for the ASPNET account in machine.config. ... > other accounts in the User Accounts part of the Control Panel. ...
    (microsoft.public.dotnet.framework.aspnet)