RE: Impersonation, Delegation & SQL Server
From: Wei-Dong Xu [MSFT] (v-wdxu_at_online.microsoft.com)
Date: 11/21/03
- Previous message: Karl Levinson [x y] mvp: "Re: NTLM over the Internet"
- In reply to: Rob Edwards: "Impersonation, Delegation & SQL Server"
- Next in thread: Ken Schaefer: "Re: Impersonation, Delegation & SQL Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Nov 2003 01:52:37 GMT
Hi Rob,
Thank you for posting in MSDN managed newsgroup!
After setting windows integrated authentication method in IIS and specify the impersonation to true for asp.net application, your asp.net
application will run under the account which has been authenticated by IIS. For example, if you use "UserA" to login in the asp.net application and
succeed, your asp.net application will run with the security of UserA account. Then when you access SQL server database, asp.net applicaiotn will
try to use UsrA account to login into SQL server. If you haven't grant enought permission to this acount, your access will fail.
In this way, if you only set <identity impersonate="true"> for your asp.net application, you should also set the permissions for all the users of the
asp.net application in SQL server with appropriate permissions. I'd suggest you may build one account group and add all the users into that group.
In this way, you will only need to set one account in the SQL server for this account group. If not, you will have to set each user in SQL server
which will be very complex for the system management.
>From my experience on this issue, I strongly recommend you that you can use the SQL server authenticate mode in SQL server and create one
account only for your asp.net users. Each user will access the database with the connection string. You will only need to focus on this account for
the database access which will make the system maintenance very easy. Furthrmore, each logoned user will have their own security restriction in
your IIS server for the resources and in the same time, they can all access database very smoothly. This will also make the deployment very
simple.
In addition, the connection string in the config is clear text by default. Microsoft has released one utitlity for you for this which can encrypt
credentials and session state connection strings of config file. You can obtain it free of charge from Microsoft. With the help of this tool, you can
specify a very complex password for the sql account, for example "6sG3v2R0p2". Then you can encrypt them in the config file or store them into
the registry. There is one KB article for this utitility which will help you a lot in this scenario. Please go to:
329290 HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session State
http://support.microsoft.com/?id=329290
Please feel free to let me know if you have any further questions.
Does this answer your question? Thank you for using Microsoft NewsGroup!
Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
- Previous message: Karl Levinson [x y] mvp: "Re: NTLM over the Internet"
- In reply to: Rob Edwards: "Impersonation, Delegation & SQL Server"
- Next in thread: Ken Schaefer: "Re: Impersonation, Delegation & SQL Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
